Re: Nmap IPv6 Bug Report

[David Fifield <david () bamsoftware com>]

On Tue, Jun 08, 2010 at 11:57:49PM -0700, Fyodor wrote:
> Hi Folks.  I don't have IPv6 set up at the moment, so I'm forwarding a
> bug report along in the hope that someone can test and/or fix it.  You
> can read the Debian bug threat here:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584301
>
> The key message is the last one on that page.  Mats Erik Andersson
> (the reporter) says that Nmap fails when you do this bash shell
> command:
>
> RES_OPTIONS=inet6  nmap -v -p 22 ipv6.google.com
>
> The failure is that you get the wrong IPv4 address because Nmap is
> apparently failing to properly deal with the returned hostent
> structure.  See the URL above for full details.
>
> If anyone can try to reproduce and/or fix this and report back to
> nmap-dev, that would be great!

I could reproduce this on Debian. The problem was that the resolver for
hostname/CIDR addresses used gethostbyname, and always assumed that the
only addresses returned were IPv4 addresses. When an IPv6 address was
returned, it would use the first four bytes of the IPv6 address.

# RES_OPTIONS=inet6 ./nmap -sn ipv6.google.com -d
Nmap scan report for ipv6.google.com (32.1.72.96) [host down, received no-response]
Other addresses for ipv6.google.com (not scanned): 32.1.72.96 32.1.72.96 32.1.72.96

With -6, Nmap gets the right IPv6 address.

# ./nmap -6 -sn ipv6.google.com -d
Nmap scan report for 2001:4860:800f::67 [host down, received net-unreach]

You can see the correspondence between 2001:4860 and 32.1.72.96.

I solved this by adding a new function to tcpip.cc, resolve_all, which
is like the existing resolve function but it returns all addresses. It
uses getaddrinfo so we can ask for a specific address family, and it
generally easier to work with.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/