Re: NSE scripts for scanning IPv6 sub-nets

[Raul Fuentes <ra.fuentess.sam () gmail com>]

Hello,

Many thanks by taking the time for reviewing the code, I'm more than glad
to answer any question

I'll try to answer to best the question,  by the way, from that time to now
I write english documentation for each script in the Google code website,
for the  DHCPv6 script  this is the link;
https://code.google.com/p/itsis-mx/wiki/DHCPv6



> 1. Are all DHCPv6 servers vulnerable to this technique, or does it need a
> specific configuration to work? I understand that network devices and ACLs
> could block the script, but I mean aside from that.
When was  looking for DHCPv6 servers implementations I only find Microsoft
version and wide-dhcpv6-server plus one more but was deprecated and
suggesting to use Wide version. So, technically, yes all the server are
vulnerable. One reason is that the RFC 3315 did not take this in
consideration  (seems that this a very low risk exploit for the RFC)


> 2. Why can we not just get the subnet directly from the DHCP server? Is
> the process of forwarding a request very different from a DHCPv4 request,
> in which the response would have all necessary information like netmask,
> broadcast address, gateway, etc.?

Yes, for a local request  is very similar to DHCPv4, but the technique was
made thinking in subtracting the data of the other subnetworks  under the
DHCPv6 control, and here lies the problem:  The servers only check the
IPv6 addresses of the relay agent origin and then check which prefix domain
match with it and send the answer, that is why  I need to spoof the relay
message (the ghost host is just a prerequisite for the relay agent).



> 3. Is there a potential for an automated system of determining subnets 1
> bit at a time? Example: given the network 2001:db8:c0ca::/64, can we try
> 2001:db8:c0ca:8000::/65 and 2001:db8:c0ca:0::/65 and get a rejection from
> only one of them? This would allow us to treat the server as a binary
> oracle and build a tree of valid subnets.
Short answer: Yes, is possible, and the script already try to do it (to
certain point)  but will rely in how the server is configured with a risk
of fake positives (Linux version)

Full answer : The main problem is the fact that the prefix of the spoofed
relay agent is never send to the server, so the server will make a match of
the relay address in his prefix tables and this is where  the things
diverges as each implementation could do the things differents, actually
Wide-dhcpv6 had a minor bug here and was sending fake positives where
Microsoft did not (The script check that). In gen

The main difference of the servers are:
Windows servers handles a prefix table, so probably will have the same
limitation than routing tables checking the  destiny IP
Wide-Dhcp:  Link a prefix to one interface, (If any request go to that
interface the server don't check the relay agent address, just send one
address of the prefix configured for that interface), in spanish erh
english, for multiples subnetworks you need multiples (logical/virtual/)
interfaces (and a wrong configuration will get incorrect data)

In the moment of my Master thesis I didn't had enough time and I worked wit
the Microsoft implementation because was more faithful to the RFC 3315
(This is in the page 54 of the thesis).



-- 
Ate. Raul FUENTES

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/