mailing list archives
Re: Gsoc 2011 idea about IPv6
From: David Fifield <david () bamsoftware com>
Date: Thu, 31 Mar 2011 22:56:03 -0700
On Tue, Mar 29, 2011 at 10:01:12PM +0800, Xu Weilin wrote:
Thank you for your guidance. I have learnt notes.txt from SVN and read the
given papers carefully. I would like to express my ideas here before writing
the formal proposal.
1. OS Dectection on IPv6
Nerakis's thesis has shown the existing IPv4 tests methods, such as port
scanning, TCP and UDP figerprinting, can be reused effectively in IPv6
environment. Besides, Nerakis's thesis also mentioned the IPv6 extension
header based methods though they are not as effective as TCP/UDP based. Note
that this work on IPv6 extension header done 5 years ago was not so
complete, so we may get different results in new tests.
Beck's team has done much work on NDP based OS fingerprinting.By sending a
series of NS packet, we get different replies from different OSes.
SinFP can match IPv6 responses against IPv4 fingerprints, using three
mapping rule on IP header.
For one-hop IPv6 fingerprints, all methods mentioned above are possible.
For over-Internet IPv6 fingerprints, NDP based method and IPv6 Hop-by-Hop
option header based method are disabled.
New IPv6 tests can be based on IPv6 extension headers.
In addition, I suppose a pure database of OS fingerprints and an accurate
matching algorithm are crucial.
2. Hosts Discovery on IPv6
Do hosts discovery in the same subnet is easier in IPv6. The alive6 tool and
its method is quite effective.
* The alive6 tool sends
*1. ICMPv6 echo request to ff02::1.
*2. Invalid extension header (0x80) followed by ICMP echo request to
*3. Hop-by-hop header followed by ICMP echo request to ff02::1.
I see that the latest THC-IPV6 release (1.4) additionally can do UDP,
TCP ACK, and TCP SYN. I haven't tested to see if these are unicast-only.
In addition, we have another method based on SLAAC to achieve hosts
discovery. Considering some hosts may refuse ICMPv6 echo Ping and the other
known probe methods, the SLAAC based method is essential since hosts
couldn't refuse RA packet unless SEcure Neighbor Discovery(SEND) protocol is
*The procedure of StateLess Address Autoconfiguration(SLAAC) is
*1. Router Advertisement with an IPv6 Prefix infomation to ff02::1;
*2. Hosts receiveing this RA packet configure its IPv6 address with the
*3. Hosts send NS packets to make sure that no other hosts use this
In order not to disturb the network, the RA packet should be carefully
constructed within three principles:
1) Not a default router;
2) Address prefix should be insignificant in the network. A random
Unique-local Address prefix is suitable.
Short valid life time.
I just noticed a few days ago that there is a Metasploit module that
does this: (at least if I understand you correctly)
For hosts discovery over Internet, it becomes harder on IPv6 for its address
space is quite large. We can take use of these methods below by NSE scripts
before we find a more effective method.
1. Avoid scanning address block that can't be routed.
The global BGP information is available on http://www.routeviews.org/.
Take use of SLAAC mechanism.
Since most IPv6 networks use SLAAC mechanism to configuring IPv6 address and
most OSes generate EUI-64 by use of MAC,the scanning space is reduced to /24
if the prefix and ether vendor have been confirmed.
The vendor codes are available on these pages:
3. Take use of IPv4-mapped or -compatible address
Actually I don't think it is necessary since we can reach the goal through
IPv4. We had better focus on native IPv6 network.
I plan to implement IPv6 host discovery first. The work will involve the
raw packet host discovery, traceroute6 and NSE scripts. I'm also interested
in OS detection but I'm not sure whether I have enough time. Please give me
I think that both host discovery and OS detection are big enough to be
their own projects.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/