Difference between revisions of "IPv6 Security: Audit Security"

From OnnoWiki
Jump to navigation Jump to search
Line 28: Line 28:
 
==Security auditing menggunakan nmap IPv6-enabled==
 
==Security auditing menggunakan nmap IPv6-enabled==
  
NMap, salah satu portscaner terbaik di dunia, mendukung IPv6 sejak versi 3.10ALPHA1.  Instalasi dapat menggunakan perintah
+
NMap, salah satu portscaner terbaik di dunia, mendukung IPv6 sejak versi 3.10ALPHA1.  Instalasi dapat menggunakan perintah
  
  # apt-get install nmap
+
  apt update
 +
apt install nmap
  
Contoh penggunaan:  
+
Contoh penggunaan:  
  
  # nmap -6 -sS -v -Pn 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
  nmap -6 -sS -v -Pn 2345::1
  
Hasilnya kira-kira:
+
Hasil-nya kira-kira
  
  Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-04 14:14 WIB  
+
  Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-15 11:28 WIB
  Initiating ND Ping Scan at 14:14
+
  Initiating ND Ping Scan at 11:28
  Scanning 2001:470:36:ab6:6847:8077:6bc1:4b2b [1 port]  
+
  Scanning 2345::1 [1 port]
  Completed ND Ping Scan at 14:14, 0.21s elapsed (1 total hosts)  
+
  Completed ND Ping Scan at 11:28, 0.20s elapsed (1 total hosts)
  Initiating System DNS resolution of 1 host. at 14:14
+
  Initiating Parallel DNS resolution of 1 host. at 11:28
  Completed System DNS resolution of 1 host. at 14:15, 2.43s elapsed  
+
  Completed Parallel DNS resolution of 1 host. at 11:28, 0.00s elapsed
  Initiating SYN Stealth Scan at 14:15
+
  Initiating SYN Stealth Scan at 11:28
  Scanning 2001:470:36:ab6:6847:8077:6bc1:4b2b [1000 ports]  
+
  Scanning 2345::1 [1000 ports]
  Discovered open port 80/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
  Discovered open port 443/tcp on 2345::1
  Discovered open port 139/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
Discovered open port 25/tcp on 2345::1
  Discovered open port 445/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
Discovered open port 53/tcp on 2345::1
  Discovered open port 22/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
  Discovered open port 143/tcp on 2345::1
  Discovered open port 873/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
Discovered open port 21/tcp on 2345::1
  Completed SYN Stealth Scan at 14:15, 2.88s elapsed (1000 total ports)  
+
Discovered open port 22/tcp on 2345::1
  Nmap scan report for 2001:470:36:ab6:6847:8077:6bc1:4b2b
+
  Discovered open port 445/tcp on 2345::1
  Host is up (0.0027s latency).  
+
Discovered open port 80/tcp on 2345::1
  Not shown: 995 closed ports  
+
  Discovered open port 139/tcp on 2345::1
  PORT    STATE SERVICE  
+
  Discovered open port 110/tcp on 2345::1
  22/tcp  open  ssh  
+
  Completed SYN Stealth Scan at 11:28, 3.06s elapsed (1000 total ports)
  80/tcp  open  http  
+
  Nmap scan report for 2345::1
  139/tcp open  netbios-ssn  
+
  Host is up (0.00028s latency).
  445/tcp open  microsoft-ds
+
  Not shown: 990 closed ports
  873/tcp open  rsync
+
  PORT    STATE SERVICE
  MAC Address: 60:A4:4C:75:A6:A0 (Asustek Computer)  
+
21/tcp  open  ftp
 +
  22/tcp  open  ssh
 +
25/tcp  open  smtp
 +
53/tcp  open  domain
 +
  80/tcp  open  http
 +
110/tcp open  pop3
 +
  139/tcp open  netbios-ssn
 +
  143/tcp open  imap
 +
443/tcp open  https
 +
  445/tcp open  microsoft-ds
 +
  MAC Address: 08:00:27:13:AF:DF (Oracle VirtualBox virtual NIC)
 
   
 
   
  Read data files from: /usr/bin/../share/nmap  
+
  Read data files from: /usr/bin/../share/nmap
  Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds  
+
  Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
             Raw packets sent: 1209 (77.384KB) | Rcvd: 1017 (61.076KB)
+
             Raw packets sent: 1030 (65.928KB) | Rcvd: 1030 (61.856KB)
  
 
==Security auditing menggunakan strobe IPv6-enabled==
 
==Security auditing menggunakan strobe IPv6-enabled==

Revision as of 11:29, 15 February 2019

Fasilitas / tool untuk melakukan security audit pada jaringan IPv6 masih terus di kembangkan. Tool yang ada memang belum sebaik yang tersedia di IPv4.


Masalah Hukum / Legal

PERHATIAN: berhati-hati saat melakukan scan ke sistem yang kita gunakan, jika tidak mungkin kita akan terkena masalah hukum. CEK tujuan IPv6 address DUA KALI sebelum melakukan scan.


Audit Security Menggunakan netcat yang IPv6

Dengan menggunakan netcat IPv6-enabled kita dapat menjalankan portscan dengan membungkusnya dengan script dan melakukannya pada range port tertentu, untuk menangkap banner dll.

Contoh penggunaan: 

# apt-get install netcat6

Jika anda mempunyai server daytime di localhost, dapat melakukan scan: 

# nc6 ::1 daytime 
13 JUL 2002 11:22:22 CEST

Contoh lain jika kita mempunyai server, misalnya SMTP (port 25), maka 

# nc6 ::1 25 
220 axioo ESMTP Postfix (Ubuntu)

Security auditing menggunakan nmap IPv6-enabled

NMap, salah satu portscaner terbaik di dunia, mendukung IPv6 sejak versi 3.10ALPHA1. Instalasi dapat menggunakan perintah 

apt update
apt install nmap

Contoh penggunaan: 

nmap -6 -sS -v -Pn 2345::1

Hasil-nya kira-kira 

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-15 11:28 WIB
Initiating ND Ping Scan at 11:28
Scanning 2345::1 [1 port]
Completed ND Ping Scan at 11:28, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:28
Completed Parallel DNS resolution of 1 host. at 11:28, 0.00s elapsed
Initiating SYN Stealth Scan at 11:28
Scanning 2345::1 [1000 ports]
Discovered open port 443/tcp on 2345::1
Discovered open port 25/tcp on 2345::1
Discovered open port 53/tcp on 2345::1
Discovered open port 143/tcp on 2345::1
Discovered open port 21/tcp on 2345::1
Discovered open port 22/tcp on 2345::1
Discovered open port 445/tcp on 2345::1
Discovered open port 80/tcp on 2345::1
Discovered open port 139/tcp on 2345::1
Discovered open port 110/tcp on 2345::1
Completed SYN Stealth Scan at 11:28, 3.06s elapsed (1000 total ports)
Nmap scan report for 2345::1
Host is up (0.00028s latency).
Not shown: 990 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
443/tcp open  https
445/tcp open  microsoft-ds
MAC Address: 08:00:27:13:AF:DF (Oracle VirtualBox virtual NIC)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
           Raw packets sent: 1030 (65.928KB) | Rcvd: 1030 (61.856KB)

Security auditing menggunakan strobe IPv6-enabled

Strobe (dibandingkan dengan NMap) merupakan portscanner low budget, tetapi ada patch untuk mengaktifkan IPv6. Pada masa lalu Strobe (dan trafshow,netwatch,statnet,tcpspray,tcpblast) dapat di install melalui 

apt install netdiag

Contoh penggunaan: 

# ./strobe ::1

Hasilnya kira-kira: 

strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>. 
::1 2401 unassigned unknown 
::1 22 ssh Secure Shell - RSA encrypted rsh 
::1 515 printer spooler (lpd) 
::1 6010 unassigned unknown 
::1 53 domain Domain Name Server

Catatan: tampaknya strobe tidak di kembangkan lebih lanjut.

Hasil Audit

Jika hasil audit ternyata tidak cocok dengan kebijakan keamanan IPv6, gunakan firewall IPv6 untuk menutup lubang yang ada, misalnya, menggunakan netfilter6 atau ufw.

Informasi tambahan: Lebih detail tentang IPv6 Security dapat di peroleh disini:

  • IETF drafts - IPv6 Operations (v6ops)
  • RFC 3964 / Security Considerations for 6to4

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=IPv6_Security:_Audit_Security&oldid=55312"