Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Draft RFC on IPv6 Host Scanning
From: John Bond <john.r.bond () gmail com>
Date: Mon, 23 Apr 2012 22:29:14 +0200

Yes i noticed this too, i started thinking about how best to script
this.  there is a bit of cross over with the address-info script and
im trying to think of the best way to combine them.  Or if they should
be combined at all.  My current thinking is that we should have a
script which
 + takes a V6 prefix as an argument, then adda newtargets for;
   -  [user supplied v6 prefix]:[user supplied oui]::/16 (using eui format)
   -  [user supplied v6 prefix]:[user supplied oui (By vendor
name)]::/16 (using eui format)
     -- prefefind common defaults for the above e.g.
vmware/virtualbox/hyperV/Xen
   -  [user supplied v6 prefix]:[user supplied ipv4 prefix]/[user
supplied bit mask]
   - something equivalent with toredo and 6to4
+ The same as above but using the prefix of the IPv6 host.ip either using;
  - a default bit mask
  - bit mask (and possibly ipv4 prefixes) fetched with targets-asn
  - usersupplied bitmask
+   Using similar methods to address-info to look at the host.ip and
work out what type of format is used*. i.e.
   -  [v6 prefix of host.ip]:[oui of host.ip]::/16 (using eui format)
   -  [v6 prefix of host.ip]:[ipv4 prefix of host.ip]/[user supplied bit mask]
   - something equivalent with toredo and 6to4

I hope all this makes sense, if anyone else has comments or was also
thinking about working on this let me know

cheers
john

*the EUI and ipv4 tests used in address-info would need to be updated
to something like the attached script.  however this would cause false
positives.  (a lot of the functions used here are copy and pasted
from address-info, it might be worth splitting some of them out into a
library)

On 23 April 2012 21:40, Fyodor <fyodor () insecure org> wrote:
Hi Folks.  Fernando Gont wrote a short draft RFC on IPv6 host scanning:

http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt

The focus is on predicting IPv6 addresses using patterns in the way
they are constructed/allocated, not other IPv6 discovery techniques.
Nmap is mentioned and cited.  The ideas aren't new, but he does a good
job summarizing and citing relevant research.  I learned some
interesting tidbits, such as the way VMWare ESX can include 16 bits of
IPv4 address in its generates MAC address, which then can get included
in autoconfigured IPv6 addresses.

Cheers,
Fyodor





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: ipv6-scan.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault