Nmap Development mailing list archives
Re: Gsoc 2011 idea about IPv6
From: David Fifield <david () bamsoftware com>
Date: Thu, 31 Mar 2011 22:56:03 -0700
On Tue, Mar 29, 2011 at 10:01:12PM +0800, Xu Weilin wrote:
David, Thank you for your guidance. I have learnt notes.txt from SVN and read the given papers carefully. I would like to express my ideas here before writing the formal proposal. 1. OS Dectection on IPv6 Nerakis's thesis has shown the existing IPv4 tests methods, such as port scanning, TCP and UDP figerprinting, can be reused effectively in IPv6 environment. Besides, Nerakis's thesis also mentioned the IPv6 extension header based methods though they are not as effective as TCP/UDP based. Note that this work on IPv6 extension header done 5 years ago was not so complete, so we may get different results in new tests. Beck's team has done much work on NDP based OS fingerprinting.By sending a series of NS packet, we get different replies from different OSes. SinFP can match IPv6 responses against IPv4 fingerprints, using three mapping rule on IP header. In conclusion, For one-hop IPv6 fingerprints, all methods mentioned above are possible. For over-Internet IPv6 fingerprints, NDP based method and IPv6 Hop-by-Hop option header based method are disabled. New IPv6 tests can be based on IPv6 extension headers. In addition, I suppose a pure database of OS fingerprints and an accurate matching algorithm are crucial. 2. Hosts Discovery on IPv6 Do hosts discovery in the same subnet is easier in IPv6. The alive6 tool and its method is quite effective. * The alive6 tool sends *1. ICMPv6 echo request to ff02::1. *2. Invalid extension header (0x80) followed by ICMP echo request to ff02::1. *3. Hop-by-hop header followed by ICMP echo request to ff02::1.
I see that the latest THC-IPV6 release (1.4) additionally can do UDP, TCP ACK, and TCP SYN. I haven't tested to see if these are unicast-only.
In addition, we have another method based on SLAAC to achieve hosts discovery. Considering some hosts may refuse ICMPv6 echo Ping and the other known probe methods, the SLAAC based method is essential since hosts couldn't refuse RA packet unless SEcure Neighbor Discovery(SEND) protocol is used. *The procedure of StateLess Address Autoconfiguration(SLAAC) is *1. Router Advertisement with an IPv6 Prefix infomation to ff02::1; *2. Hosts receiveing this RA packet configure its IPv6 address with the Prefix automatically; *3. Hosts send NS packets to make sure that no other hosts use this address. In order not to disturb the network, the RA packet should be carefully constructed within three principles: 1) Not a default router; 2) Address prefix should be insignificant in the network. A random Unique-local Address prefix is suitable. Short valid life time.
I just noticed a few days ago that there is a Metasploit module that does this: (at least if I understand you correctly) http://www.metasploit.com/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement http://wuntee.blogspot.com/2010/11/ipv6-link-local-host-discovery-concept.html
For hosts discovery over Internet, it becomes harder on IPv6 for its address space is quite large. We can take use of these methods below by NSE scripts before we find a more effective method. 1. Avoid scanning address block that can't be routed. The global BGP information is available on http://www.routeviews.org/. Take use of SLAAC mechanism. Since most IPv6 networks use SLAAC mechanism to configuring IPv6 address and most OSes generate EUI-64 by use of MAC,the scanning space is reduced to /24 if the prefix and ether vendor have been confirmed. The vendor codes are available on these pages: http://standards.ieee.org/develop/regauth/oui/oui.txt https://db.uga.edu/network/public/vendorcode.cgi 3. Take use of IPv4-mapped or -compatible address Actually I don't think it is necessary since we can reach the goal through IPv4. We had better focus on native IPv6 network. I plan to implement IPv6 host discovery first. The work will involve the raw packet host discovery, traceroute6 and NSE scripts. I'm also interested in OS detection but I'm not sure whether I have enough time. Please give me an advice:)
I think that both host discovery and OS detection are big enough to be their own projects. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Gsoc 2011 idea about IPv6 许伟林 (Mar 19)
- Re: Gsoc 2011 idea about IPv6 David Fifield (Mar 21)
- Re: Gsoc 2011 idea about IPv6 Xu Weilin (Mar 24)
- Re: Gsoc 2011 idea about IPv6 David Fifield (Mar 24)
- Re: Gsoc 2011 idea about IPv6 Rob Nicholls (Mar 24)
- Re: Gsoc 2011 idea about IPv6 David Fifield (Mar 24)
- Re: Gsoc 2011 idea about IPv6 Xu Weilin (Mar 29)
- Re: Gsoc 2011 idea about IPv6 David Fifield (Mar 31)
- Re: Gsoc 2011 idea about IPv6 Xu Weilin (Mar 24)
- Re: Gsoc 2011 idea about IPv6 David Fifield (Mar 21)