Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Finding v6 hosts by efficiently mapping ip6.arpa
From: Patrik Karlsson <patrik () cqure net>
Date: Wed, 4 Apr 2012 23:08:16 +0200

On Wed, Apr 4, 2012 at 8:34 PM, Fyodor <fyodor () insecure org> wrote:

On Sun, Apr 01, 2012 at 03:06:48PM +0200, Patrik Karlsson wrote:

I just committed an Nmap script called dns-ip6-arpa-scan.nse, that
implements the technique.  It uses multiple threads to do the lookup
and I was amazed by the result.

That's a great script!  And with the recent changes by David, it is
working well for me.  Here are some ideas for improvement in case you
or anyone else (perhaps one of the SoC NSE applicants) finds more time
to work on this:

o Instead of separate "prefix" and "mask" arguments, maybe it could
 support them together like Nmap generally does for IPv4.  Examples
 could be "2600:3c01::f03c:91ff:fe93:cd19/112",
 "scanme.nmap.org/112", or "2600:3c01/32".  Besides being an easier
 syntax to use, this would allow the script to accept multiple
 prefixes/masks.

o It should probably be a targets-* script (like
 targets-ipv6-multicast-echo and such) so that discovered hosts
 can be easily added to the scan queue.

o It might be desirable to check for wildcard DNS so that it doesn't
 spend a huge amount of time (and results space) enumerating giant
 wildcarded blocks.

o Marc heuse says that his dnsrevenum6 can scan 2a01:238:42a8::/48 in
 8 seconds and finding 4 hosts.  But when I just tried with Nmap, it
 took 505 seconds and didn't find any hosts.  I used this command:

 nmap -v --script dns-ip6-arpa-scan
--script-args='prefix=2a01:238:42a8:e700,mask=48'

o This is a minor detail, but I am a bit torn about whether the name
 should contain "ip6" (as now) or "ipv6" (as our other IPv6 scripts
 do).  Even though it actually is walking "ip6.arpa", I'm leaning
 toward the idea that "ipv6" would be better in the script name.

o Another minor detail is that it would be nice if it printed the
 number of hosts discovered.  This could go in the "dns-ip6-arpa-scan:"
 line which is otherwise empty anyway.

In an ideal world, we could use an upgraded version of this script to
scan the whole IPv6 Internet :).

The script did work well when I scanned the /112's of scanme.nmap.org
and nmap.org.  Example:

# ./nmap -v --script dns-ip6-arpa-scan
--script-args='prefix=2600:3c01::f03c:91ff:fe93:cd19,mask=112'

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-04 10:41 PDT
[Cut some verbose lines]
Pre-scan script results:
| dns-ip6-arpa-scan:
| ip                                 ptr
| 2600:3c01:0:0:f03c:91ff:fe93:1130  athena.bitcasa.com
| 2600:3c01:0:0:f03c:91ff:fe93:115c  node2.amphibious.org
| 2600:3c01:0:0:f03c:91ff:fe93:12d8  lizardwiki.dyndns.org
| 2600:3c01:0:0:f03c:91ff:fe93:1441  linode.jnraptor.com
| 2600:3c01:0:0:f03c:91ff:fe93:146a  durandal.rampant.io
| 2600:3c01:0:0:f03c:91ff:fe93:14b3  pinepara.info
| 2600:3c01:0:0:f03c:91ff:fe93:14e0  neptune.lucidwebdesign.net
| 2600:3c01:0:0:f03c:91ff:fe93:14e1  mynode.nl
| 2600:3c01:0:0:f03c:91ff:fe93:1674  redis.tigerlilyplatform.com
| 2600:3c01:0:0:f03c:91ff:fe93:1a18
katherine.fremont.ca.us.nisn.nasutek.org
| 2600:3c01:0:0:f03c:91ff:fe93:1a31  facepalm.jpe.gs
| 2600:3c01:0:0:f03c:91ff:fe93:1d85  dev.thehousecat.com
| 2600:3c01:0:0:f03c:91ff:fe93:1dee  ipv6.leopard.net
| 2600:3c01:0:0:f03c:91ff:fe93:1e2   mongo.runwire.com
| 2600:3c01:0:0:f03c:91ff:fe93:1fb0  linode.vps.icybear.net
| 2600:3c01:0:0:f03c:91ff:fe93:268c  espresso.killd9.net
| 2600:3c01:0:0:f03c:91ff:fe93:2901  sank.pentabarf.net
| 2600:3c01:0:0:f03c:91ff:fe93:2a25  lembacon.com
| 2600:3c01:0:0:f03c:91ff:fe93:2f2a  booleanhaiku.com
| 2600:3c01:0:0:f03c:91ff:fe93:2f8e  tndb.us
| 2600:3c01:0:0:f03c:91ff:fe93:30bf  lukecod.es
| 2600:3c01:0:0:f03c:91ff:fe93:31a9  srv-9331a9.frem.xl12.net
| 2600:3c01:0:0:f03c:91ff:fe93:336e  jedediahsmith.kashpureff.com
| 2600:3c01:0:0:f03c:91ff:fe93:344d  pyro.fbrtech.com
| 2600:3c01:0:0:f03c:91ff:fe93:39cc  server.imycard.com
| 2600:3c01:0:0:f03c:91ff:fe93:3add  www6.labelswitched.net
| 2600:3c01:0:0:f03c:91ff:fe93:3c89  crankshaft.activeservices.net.au
| 2600:3c01:0:0:f03c:91ff:fe93:3caa  redis-demo.tigerlilyplatform.com
| 2600:3c01:0:0:f03c:91ff:fe93:4d7a  ca-01.us.nurve.com.au
| 2600:3c01:0:0:f03c:91ff:fe93:51d3  mail.hamachi.us
| 2600:3c01:0:0:f03c:91ff:fe93:51e6  cougar.ca.mumbleboxes.com
| 2600:3c01:0:0:f03c:91ff:fe93:526e  ipv6.dmright.com
| 2600:3c01:0:0:f03c:91ff:fe93:5290  derpatron.qial.net
| 2600:3c01:0:0:f03c:91ff:fe93:561c  atreides.flpghlp.com
| 2600:3c01:0:0:f03c:91ff:fe93:5a09  bid1.bid.bespokeinnovations.com
| 2600:3c01:0:0:f03c:91ff:fe93:5cfe  remy.s.zbasu.net
| 2600:3c01:0:0:f03c:91ff:fe93:5d4b  2600:3c01::f03c:91ff:fe93:5d4b
| 2600:3c01:0:0:f03c:91ff:fe93:60bb  discovery.wyldryde.org
| 2600:3c01:0:0:f03c:91ff:fe93:6418  hydrogen.deeperdesign.co:0:f03c:91ff:fe93:e332
 theplanet.ca
| 2600:3c01:0:0:f03c:91ff:fe93:e3a3  freecnam.org
| 2600:3c01:0:0:f03c:91ff:fe93:e3b   zeus.dodekatheon.puxlit.net
| 2600:3c01:0:0:f03c:91ff:fe93:e565  mail.icanhaz.ca
| 2600:3c01:0:0:f03c:91ff:fe93:e6f3  lin6.ingber.com
| 2600:3c01:0:0:f03c:91ff:fe93:eabc  www.benjaminpike.net
| 2600:3c01:0:0:f03c:91ff:fe93:eb17  h1tman.com
| 2600:3c01:0:0:f03c:91ff:fe93:ec49  factory.tigerlilyplatform.com
| 2600:3c01:0:0:f03c:91ff:fe93:ee5f  server.imycard.com
| 2600:3c01:0:0:f03c:91ff:fe93:f174  server.imycard.com
| 2600:3c01:0:0:f03c:91ff:fe93:f4db  rww.name
| 2600:3c01:0:0:f03c:91ff:fe93:f5df  arpa.unixnode.org
| 2600:3c01:0:0:f03c:91ff:fe93:f65   virtual-server-02.zone12.net
| 2600:3c01:0:0:f03c:91ff:fe93:f73c  es2eng.com
| 2600:3c01:0:0:f03c:91ff:fe93:fa80  linss.com
| 2600:3c01:0:0:f03c:91ff:fe93:fab2  theleakycauldron.niftystopwatch.net
| 2600:3c01:0:0:f03c:91ff:fe93:fafd  rolandwarmerdam.co.nz
|_2600:3c01:0:0:f03c:91ff:fe93:fb19  caravanserai.manxomefae.com
Nmap done: 0 IP addresses (0 hosts up) scanned in 535.55 seconds
          Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Cheers,
Fyodor


Thanks Fyodor, those are some good ideas! I'll probably start to work on
some of them soon.
I agree on the targets prefix and it should be ipv6 I believe. I'll change
that too when I start looking into the other changes.
In regards to scanning the 2a01:238:42a8:e700::/48, I just did, got 4 hosts
in less than 2 seconds.

//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault