<tejr> good post on disabling ipv6 https://infosec.exchange/@IvyMike/110164662305086035
<tejr> (and security implications thereof)
<tejr> followup post https://utcc.utoronto.ca/~cks/space/blog/sysadmin/IPv6OurPassiveExposure
<prima> i never thought about this
<prima> ipv6 doesn't just go away because you aren't using it
<tejr> it seems like the sort of thing that not only will come up, it already has
<secunda> I have used this in real life
<tejr> do tell
<secunda> simple as really, web server had restricted outbound v4, only incoming connections via the gateway would make it through on v4 land, so outbound connections from the web server out to the intewebz would be denied, firewall was cisco or juniper or one of those
<secunda> anyways, they were only filtering v4 outbound and didn't have any rules other than ALLOW for v6...
<secunda> naturally we have v6 infra for this exact occasion
<secunda> and they weren't logging it either
<prima> how did you get it to make an outbound connection for you?
<secunda> v6 destination would make it out of the network from the web application server
<secunda> but not a v4 destination
<secunda> we found eventually that they were only filtering tcp and UDP on v4 too, so you could sctp outbound over v4 if you wanted with no restrictions
<secunda> but that was logged
<secunda> were able to exfil a bunch of db creds without being seen because they weren't looking at v6 at all
<secunda> but yeah this has been a known weakness on networks for years, sometimes hosts are configured to allow all on ipv6 but filter for v4 too, so you can a host over v4 and you get like port 80 and 443, but you scan it over v6 and you find whatever else they're running, admin interfaces, remoting of all kinds.. you can imagine
<secunda> v6 and v4 discrepancy is not that common to be honest, coz network admins have caught on to it and fully disabled v6 where it wasn't being used, and configured their firewalls and EDR for it where it is used, maybe half a decade ago this would have been rife for fun. Can't comment on logging discrepancies tho as that's more of a black box, as I rarely get a look on the blue team side unless I end up taking over their infrastructure
<secunda> of course its mentioned in reports, but blue team infra is not usually a target of a red team engagement
<secunda> and its way out of scope for my usual pentests