IPv6 on your mobile phone

From: http://www.networkworld.com/community/node/37125

 

By Scott Hogg
On Sun, 01/11/09-PM.

 

You may have IPv6 capabilities on your mobile phone and not even
Realize it. It has become apparent in 2008 that several mobile phone
Providers in the U. S. have started to include IPv6 capabilities in their
Phones. While this is great it has also caused the mobile phone
Providers to receive a wake-up call about the security implications
6th.

The issue is that if the security of a new communications protocol is
Not considered before it is deployed unforeseen consequences can
Result. In fact, those service providers who have deployed IPv6
Connectivity to their subscribers phones have pulled back some support
Because of the security issues encountered. I have a HTC 6800 phone
From sprintpcs running Windows Mobile 6.1 ce OS 5.2.19208 (build
19208.1.0.1). Even though my phone has IPv6 connectivity it has less
Capabilities than when it had ce OS 5.20.29 (build 18136.0.4.8 ).

There is a tool that you can use for your Windows Mobile Devices
Called the Windows Mobile Network
Analyzer powertoy
That can tell you about the IP addresses your
Phone has. This utility has been available for quite some time but it
Can still be used to help you find out valuable information about how
Your mobile phone is connected to the Internet. Here is the windows
Network Analyzer output from when I ran it on my sprintpcs HTC 6800.
You can see the phones IPv4 address, its 6to4 tunnel interface and
Address, the beginnings of an isatap interface, and the packet
Statistics for IPv4 and IPv6 protocols.

* ** 1/10/2009, 18:50:11 ***
Network Analyzer running...

++ Analyzeripconfig. dll ++
Windows IP configuration
Ethernet Adapter local area connection:
IP address ......: 0.0.0.0
Subnet Mask...: 0.0.0.0
Adapter name ......: tnetw12511
Description ......: tnetw12511
Adapter index...: 2
Address ......: 00 18 41 5A 3A 65
DHCP enabled...: Yes
DHCP server ........:
Primary winsserver:
Secondary winsserver:
Lease obtained on: Saturday, February 6, 2106 23: 28: 15
Lease expires on: Tuesday, November 10,197 0 23: 50: 23
AutoConfig enabled: Yes

PPP adapter [cellular line]:
IP address ......: 173.117.187.small
Subnet Mask...: 255.255.255.0.0
Default Gateway...: 173.117.187.small
Adapter name ......: cellular line
Description .......:
Adapter index...: 1376259
Address ......: 00 00 00 00
DHCP enabled...: No

Tunnel adapter []:
Interface number ..: 4

Tunnel adapter [6to4 Tunneling pseudo-interface]:
Interface number...: 3
IP address .....: 2002: ad75: bb85: ad75: bb85
Default Gateway...: 2002: c058: 6301: c058: 6301

Tunnel adapter [automatic tunneling pseudo-interface]:
Interface number...: 2
IP address ......: fe80: 5efe: 173.117.187.small

Host Name ......: scottsipphone
Domain Name ........:
DNS servers ......: 68.28.58.92
68.28.50.91
Nodetype ......: 8
Routing enabled...: No
Proxy enabled...: No
Test Module result: True
--- Analyzeripconfig. dll ---

++ Analyzerping. dll ++
Ping (logger, localhost)
Pinglink: reply from Maid: Echo Size = 32 time = 31 Ms TTL = 128
Pinglink: reply from 127.0.0.1: Echo Size = 32 time = 1 ms TTL = 128
Pinglink: reply from 127.0.0.1: Echo Size = 32 time <10 ms TTL = 128
Pinglink: reply from 127.0.0.1: Echo Size = 32 time = 1 ms TTL = 128
Test Module result: True
--- Analyzerping. dll ---

++ Analyzerhttpping. dll ++
Httpping (logger, http://www.microsoft.com
)
Dwbytestoread = 128 dwbytesread = 128
Internetcheckconnection () --> true
Test Module result: True
--- Analyzerhttpping. dll ---

++ Analyzerdeviceinfo. dll ++
Osversioninfo. dwmajorversion = 5
Osversioninfo. dwminorversion = 2
Osversioninfo. dwbuildnumber = 19208
Osversioninfo. dwplatformid = 3
Osversioninfo. szcsdversion =
Test Module result: True
--- Analyzerdeviceinfo. dll ---

++ Analyzernetstats. dll ++

Interface statistics received sent
Bytes 0 0
Unicast packets 0 0
Nonunicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
Name =
Index = 2
Physical addrress = 0018347a3a65
Description = tnetw12511
Type = 6
Mtu= 1500
Speed-BPS = 54000000
Administrative Status = 1
Oprerational status = 0
Output queue length = 0

Interface statistics received sent
Bytes 2769 3237
Unicast packets 28 28
Nonunicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
Name =
Indexed = 1376259
Physical addrress = 000000000000
Description =
Type = 23
Mtu= 1500
Speed-BPS = 28800
Administrative Status = 1
Oprerational status = 1
Output queue length = 0

TCP table
Loc ADDR loc port rem addr rem port State
192.168.55.101 1528 192.168.55.100 990 estab
192.168.55.101 1533 192.168.55.100 990 estab
192.168.55.101 1534 192.168.55.100 990 estab
192.168.55.101 1540 192.168.55.100 990 estab
192.168.55.101 1546 192.168.55.100 990 estab
192.168.55.101 1554 192.168.55.100 990 estab

UDP table
Loc ADDR loc Port
0.0.0.0 137
0.0.0.0 138
0.0.0.0 9204
127.0.0.1 1883

Tcp6 statistics:
--------------
Active opens = 0
Passive opens = 0
Connect attempt fails = 0
Reset connections = 0
Current connections = 0
Segments received = 0
Segments sent = 0
Segments retransmitted = 0
Errors initialized ED = 0
Sgmnts sent w/reset flag = 0
Cumulative connections = 0
Time-out algorithm = 4
Time-out minimim = 300
Time-out maid = 240000
Maximum connections = dynamic (-1)

TCP statistics:
--------------
Active opens = 260
Passive opens = 0
Connect attempt fails = 1
Reset connections = 188
Current connections = 6
Segments received = 11982
Segments sent = 16572
Segments retransmitted = 75
Errors initialized ED = 0
Sgmnts sent w/reset flag = 79
Cumulative connections = 6
Time-out algorithm = 4
Time-out minimim = 300
Time-out maid = 120000
Maximum connections = dynamic (-1)

UDP6 statistics:
--------------
Required rams received = 0
No ports = 0
Receive errors = 0
Required rams sent = 0
Number UDP entries = 1

UDP statistics:
--------------
Required rams received = 2035
No ports = 59
Receive errors = 2
Required rams sent = 2142
Number UDP entries = 4

Ip6 statistics:
--------------
Packets received = 0
Inclued header errors = 0
Received address errors = 0
Required rams forwarded = 0
Unknown protocols committed ED = 0
Inclued packets discarded = 0
Received packets delivered = 0
Output requests = 17
Routing discards = 0
Discarded output packets = 0
Output packet no route = 0
Reassembly required = 0
Reassembly successful = 0
Reassembly failures = 0
Required rams fragmented OK = 0
Required rams fragmented fail = 0
Fragments created = 0
Defaultttl = 128
Required rams all frgs not rcvd = 120
Number of interfaces = 5
Number of addresses = 5
Number of routes in table = 0
Forwarding enabled = 1

IP statistics:
--------------
Packets received = 28160
Inclued header errors = 0
Received address errors = 0
Required rams forwarded = 0
Unknown protocols committed ED = 0
Inclued packets discarded = 0
Received packets delivered = 14080
Output requests = 18815
Routing discards = 0
Discarded output packets = 0
Output packet no route = 69
Reassembly required = 0
Reassembly successful = 0
Reassembly failures = 0
Required rams fragmented OK = 0
Required rams fragmented fail = 0
Fragments created = 0
Defaultttl = 128
Required rams all frgs not rcvd = 60
Number of interfaces = 3
Number of addresses = 3
Number of routes in table = 8
Forwarding enabled = 2

Icmp6 statistics received sent
---------------------------
Messages 0 27
Errors 0 0
Destination Unreachable 0 0
Packet Too Big 0 0
Time exceeded 0 0
Param problem 0 0
Echo Request 0 17
Echo Reply 0 0
Membership Query 0 0
Membership report 0 2
Membership functions 0 0
Router solicitation 0 8
Router advertisment 0 0
Neighbor solicitation 0 0
Neighbor advertisment 0 0
Redirect 0 0

ICMP statistics canceled Ed sent
---------------------------
Messages 60 67
Errors 0 0
Destination Unreachable 52 59
Time exceeded 0 0
Parmeter problems 0 0
Source quenches 0 0
Redirects 0 0
Echos 4 4
Echo replies 4 4 4
Timestamps 0 0
Timestamp replies 0 0
Address masks 0 0
Address Mask replies 0 0
Test Module result: True
--- Analyzernetstats. dll ---

* ** 1/10/2009, 18:50:14 ***

Once we have this information we can try to communicate with
Phone. An IPv4 Ping doesn' t Provide any results. This is probably
Good thing because if we could send your packets to the mobile phones
They might run out of battery life quickly. This might cause the phone
To get hot to the touch because it is so busy communicating with
Internet. That hasn' t happened to you recently has it?
C:/users/Scott> Ping 173.117.187.small

Pinging 173.117.187.conflict with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 173.117.187.networks:
Packets: Sent = 4, received = 0, lost = 4 (100% loss ),

At this point we can also perform an Nmap scan of the IPv4 address
See what protocols the phone is listening on. This provides some
Interesting results as we can see that the phone has several open TCP
Ports.

Starting NMAP 4.76 (http://nmap.org
)
Mountain Standard Time
Initiating Ping scan at 19: 28
Scanning 172.117.187.20.[ 2 ports]
Completed Ping scan at 19:28, 1.10 s elapsed (1 Total hosts)
Initiating parallel DNS resolution of 1 host. At 19: 28
Completed parallel DNS resolution of 1 host. At 19: 28, 0.81 s elapsed
Initiating SYN stealth scan at 19: 28
Scanning 172.117.187.20.[ 1000 ports]
Discovered open port 25/TCP on 172.117.187.20.
Discovered open port 80/TCP on 172.117.187.20.
Discovered open port 8080/TCP on 172.117.187.20.
Discovered open port 3128/TCP on 172.117.187.20.
Completed SYN stealth scan at, 4.54 s elapsed (1000 total ports)
Initiating service scan at 19: 28
Scanning 4 services on 172.117.187.small
Completed service scan at 19: 30, 123.67 s elapsed (4 services on 1 host)
Initiating OS Detection (try #1) against 172.117.187.20.
Initiating traceroute at 19: 30
172.117.187.small: Guessing hop distance at 1
Completed traceroute at 19: 30, 0.09 s elapsed
Initiating parallel DNS resolution of 3 hosts. At 19: 30
Completed parallel DNS resolution of 3 hosts. At 19: 30, 0.03 s elapsed
Script Engine: Initiating script scanning.
Initiating Script Engine at 19: 30
Completed Script Engine at, 20.77 s elapsed
Host 172.117.187.paiappears to be up... good.
Interesting ports on 172.117.187.exports:
Not shown: 996 filtered ports
Port State Service version
25/tcp open SMTP?
80/tcp open HTTP Apache httpd
3128/tcp open HTTP Apache httpd
8080/tcp open http-proxy squid WebProxy 2.5.stable14
Warning: osscan results may be unreliable because we cocould not find
Least 1 open and 1 closed port
Device Type: General purpose | router | firewall | VoIP Phone
Running: Linux 2.4.x, mikrotik routeros 2.x, Secure Computing embedded,
Webvoize embedded
OS details: Linux 2.4.18-2.4.32 (Likely embedded), Linux 2.4.21-
2.4.33, Linux 2.4.28-2.4.30, microtik routeros 2.9.46, secure
Computing snapgear sg300 firewall, webvoize 120 IP Phone
Uptime guess: 15.056 days (since mon Dec 22 18:10:30 2008)
TCP Sequence Prediction: Difficulty = 200 (Good luck !)
Ip id sequence generation: all zeros

Traceroute (using port 80/tcp)
Hop RTT address
1 29.00 172.117.187.small

Read data files from: C:/program files/NMAP
OS and service detection completed MED. Please report any incorrect results
At http://nmap.org/submit/
.
NMAP done: 1 IP address (1 host up) scanned in 155.48 seconds
Raw packets sent: 2042 (92.272kb) | rcvd: 27 (1252b)

However, from my IPv6 Internet-attached laptop I can ping IPv6 sites
On the Internet as well as the IPv6 address of the phone.
C:/users/Scott> Ping-6 ipv6.google.com

Pinging example 6.l.google.com [2001: 4860: 0: 2001: 68] From
2001: 5c0: 1000: B: 17b3 with 32 bytes of data:
Reply from 2001: 4860: 0: 2001: 68: time = 139 Ms
Reply from 2001: 4860: 0: 2001: 68: time = 136 Ms
Reply from 2001: 4860: 0: 2001: 68: time = 137 Ms
Reply from 2001: 4860: 0: 2001: 68: time = 145 Ms

Ping statistics for 2001: 4860: 0: 2001: 68:
Packets: Sent = 4, stored ED = 4, lost = 0 (0% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 136 Ms, maximum = 145 ms, average = 139 Ms

As you may know, the IPv4 address of a device is used when forming
Its 6to4 IPv6 address. The IPv4 address of my phone is 172.117.187.20.
And if we convert each of these octets into hex characters we then get
Something that can be used inside an IPv6 address notation. (172 =
0xac, 117 = 0x75,187 = 0xbb, 133 = 0x85) Therefore, the 6to4 address
Of my phone is 2002: ad75: bb85: ad75: bb85.

C:/users/Scott> Ping-6 2002: ad75: bb85: ad75: bb85

Pinging 2002: ad75: bb85: ad75: bb85 from 2001: 5c0: 1000: B: 17b3 with 32
Bytes of data:
Request timed out.
Reply from 2002: ad75: bb85: ad75: bb85: time = 441 Ms
Reply from 2002: ad75: bb85: ad75: bb85: time = 432 Ms
Reply from 2002: ad75: bb85: ad75: bb85: time = 531 Ms

Ping statistics for 2002: ad75: bb85: ad75: bb85:
Packets: Sent = 4, stored ED = 3, lost = 1 (25% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 432 Ms, maximum = 531 ms, average = 468 Ms

There are others within the North American IPv6 Task Force (nav6tf)
Who are trying to determine which manufacturers of mobile phones and
Service providers have and permit IPv6 communications. Jeff Doyle
Recently got a G1 Google Android "href =" http://www.networkworld.com/community/node/36091 "> T-Mobile G1 Google Android
Phone and found that
It didn't have any IPv6 connectivity. David Green and Joe Klein
Command Information have also been experimenting with IPv6-enabled
Phones and described the security implications of this type of IPv6
Connectivity in their recent presentations
.

You can use these techniques to experiment with your own mobile
Phone. You may be surprised by what you find. Please feel free
Share with us if your mobile phone has IPv6 connectivity and what
Capabilities it has.

Scott