Security news that informs and inspires

Scanning for Active IPv6 Hosts With UPnP


Security researchers and enterprise defenders have many Internet-wide scanning tools at their disposal, but none of these tools can see the growing number of devices coming online with IPv6 addresses. As more and more devices connect with IPv6, researchers are developing new techniques capable of finding these hosts.

For enterprise defenders, these search tools provide the critical visibility they need to understand what parts of their infrastructure are directly accessible from the Internet and what kind of information is visible to others. Researchers were able to raise awareness of database misconfiguration issues that plague accessible MongoDB instances by looking for exposed systems using these tools, for example. The fact that current Internet mapping tools scan just the IPv4 address space—IP addresses that follow the familiar pattern—means defenders have a small, but growing, blind spot regarding their infrastructure.

Researchers from Cisco Talos have developed a technique using the Universal Plug and Play (UPnP) protocol to unmask IPv6 hosts. UPnP is a protocol designed for network discovery, and even though it is not intended to be used outside the local network, researchers have found that many devices expose these ports openly to the Internet.

“With the greater adoption of IPv6, this threatens to hide an ever larger number of hosts in future internet surveys,” wrote Talos researchers Martin Zeiser and Aleksandar Nikolich. “This is especially critical as a growing number of unsecured internet-of-things devices come online.”

IPv6 Blind Spot

Similar to how search engines index content to help people find information on the Internet, scanning platforms collect information about Internet-connected devices and networks. Instead of websites and code repositories, these scanners ask every possible IP address if there’s a machine associated with that address—for example, computers, smart devices, printers, and IP cameras—and collect the information provided by the machine—such as operating system version and manufacturer name.

Current mapping tools can handle the entire IPv4 address space because the number of potential IP addresses—over 4 trillion—means a full scan is possible in a “matter of hours,” Zeiser and Nikolich said. Compare that to the much larger IPv6 address space, with over 460 undecillion addresses (that is a 340 followed by 36 zeros), most of which is unused. Running exhaustive scans would require checking every potential IPv6 address on a regular basis to see if there is a machine with that address and collecting available information.

“Enumerating all active hosts by scanning all of this address space is practically, and theoretically, infeasible,” Zeiser and Nikolich said.

Many machines are assigned both IPv4 and IPv6 addresses, and a growing number of devices are online with just IPv6 addresses. Enterprise defenders don’t have a good sense of which devices with IPv6 addresses are directly accessible from the Internet. The assumption is that if the address space is too big for the defenders to monitor, then it is also too big (and too costly) for attackers to find machines that can be targeted.

There are different projects tackling the challenge of identifying machines with IPv6 addresses. Shodan uses the Network Time Protocol (NTP) to get hosts to reveal their IPv6 addresses, and the IPv6 Farm uses the Domain Name System (DNS) and DNSSEC to uncover active hosts. IPv6Hitlist aggregates information from sources such as forward DNS lookups, certificate transparency logs, and RIPE Atlas to create a daily list of actives IPv6 hosts and networks. ve scans against IPv4 address counterparts.

Use IPv4 to Find IPv6

Talos researchers used UPnP to uncover dual-homed hosts—machines with both IPv4 and IPv6 addresses. While the resulting dataset was “relatively small in magnitude,” this technique found “mostly end-user, client-side, consumer devices that are largely not covered in previously published datasets,” Zeiser and Nikolich said. The researchers compared the list of machines they found with the list aggregated by IPv6 Hitlist and found less than 0.1 percent of overlap, indicating this was “a unique subset of active IPv6 devices which were so far unexplored.”

The technique relied on two steps: sending UPnP Notify packets to every IPv4 address to find the associated IPv6 address and performing full port scans on the pairs to compare the information obtained for both IPv4 and IPv6 addresses. When a new device connects to a network, it announces its presence and capabilities by sending a UPnP Notify packet to a multicast address. This property can be used to get any device that supports UPnP and Simple Service Discovery Protocol (SSDP) to visit the URL specified in the packet’s Location header.

The researchers sent a Notify packet with a URL containing an IPv6 address to IPv4 addresses. If the host had UPnP open and also had IPv6 connectivity, it would connect to that researcher-provided URL and reveal itself. For this technique to work, the machine would have to have both IPv4 and IPv6 addresses, have UDP port 1900 open, needs to be able to accept and parse the UPnP packet to find the specified URL, and allow outgoing traffic to the HTTP port. It’s a lot of conditions, but many client machines now use both addreses, and many devices on the Internet expose the UPnP port, 1900 UDP by default.

Researchers conducted these scans multiple times over the course of two months and logged 12,000 unique IPv6 addresses each time. Since the number of IPv4/IPv6 pairs they uncovered was “manageable,” the researchers used the nmap tool to scan for the top 100 most popular ports.

“There are thousands of devices on the internet whose owners aren't aware of their IPv6 connectivity,” the researchers wrote.

This technique relies on a "pretty grave misconfiguration of UPnP," said Tod Beardsley, a security researcher at Rapid7. Using UPnP willl "catch those IPv6 devices that already live in a shady internet neighborhood," Beardsley said.

Accidental Exposure

The researchers assumed that the hosts would have proper filtering and all important ports firewalled on the IPv4 side, but not on the IPv6 side. Many enterprises put their local network behind NAT (network address translation) so only one IP address (IPv4) is exposed to the Internet. However, the nature of IPv6 protocol is that the address is public, so machines that was intended to not be accessible directly from the Internet now can be.

The researchers found that 3 percent of hosts had more open ports on the IPv6 side compared to IPv4. This unintended connectivity can potentially expose sensitive data and services such as SMB network shares, FTP, and HTTP servers. Enterprise defenders need to make sure their systems have the same level of firewalling and filtering on both IPv4 and IPv6 addresses.

“With a growing number of connected IPv6 hosts, even though they cannot be directly and exhaustively enumerated, higher exposure through public addresses means that poorly configured and maintained devices that are usually hidden behind NAT in private IPv4 space can and will be abused by employing techniques to actively uncover them,” Zeiser and Nikolich wrote.