Re: Gsoc 2011 idea about IPv6

[David Fifield <david () bamsoftware com>]

On Tue, Mar 29, 2011 at 10:01:12PM +0800, Xu Weilin wrote:
> David,
> Thank you for your guidance. I have learnt notes.txt from SVN and read the
> given papers carefully. I would like to express my ideas here before writing
> the formal proposal.
> 1. OS Dectection on IPv6
> Nerakis's thesis has shown the existing IPv4 tests methods, such as port
> scanning, TCP and UDP figerprinting, can be reused effectively in IPv6
> environment. Besides, Nerakis's thesis also mentioned the IPv6 extension
> header based methods though they are not as effective as TCP/UDP based. Note
> that this work on IPv6 extension header done 5 years ago was not so
> complete, so we may get different results in new tests.
> Beck's team has done much work on NDP based OS fingerprinting.By sending a
> series of NS packet, we get different replies from different OSes.
> SinFP can match IPv6 responses against IPv4 fingerprints, using three
> mapping rule on IP header.
> In conclusion,
> For one-hop IPv6 fingerprints, all methods mentioned above are possible.
> For over-Internet IPv6 fingerprints, NDP based method and IPv6 Hop-by-Hop
> option header based method are disabled.
> New IPv6 tests can be based on IPv6 extension headers.
> In addition, I suppose a pure database of OS fingerprints and an accurate
> matching algorithm are crucial.
>  2. Hosts Discovery on IPv6
> Do hosts discovery in the same subnet is easier in IPv6. The alive6 tool and
> its method is quite effective.
> * The alive6 tool sends
>   *1. ICMPv6 echo request to ff02::1.
>   *2. Invalid extension header (0x80) followed by ICMP echo request to
> ff02::1.
>   *3. Hop-by-hop header followed by ICMP echo request to ff02::1.

I see that the latest THC-IPV6 release (1.4) additionally can do UDP,
TCP ACK, and TCP SYN. I haven't tested to see if these are unicast-only.

> In addition, we have another method based on SLAAC to achieve hosts
> discovery. Considering some hosts may refuse ICMPv6 echo Ping and the other
> known probe methods, the SLAAC based method is essential since hosts
> couldn't refuse RA packet unless SEcure Neighbor Discovery(SEND) protocol is
> used.
> *The procedure of StateLess Address Autoconfiguration(SLAAC) is
>  *1. Router Advertisement with an IPv6 Prefix infomation to ff02::1;
>  *2. Hosts receiveing this RA packet configure its IPv6 address with the
> Prefix automatically;
>  *3. Hosts send NS packets to make sure that no other hosts use this
> address.
> In order not to disturb the network, the RA packet should be carefully
> constructed within three principles:
> 1) Not a default router;
> 2) Address prefix should be insignificant in the network. A random
> Unique-local Address prefix is suitable.
> Short valid life time.

I just noticed a few days ago that there is a Metasploit module that
does this: (at least if I understand you correctly)

http://www.metasploit.com/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
http://wuntee.blogspot.com/2010/11/ipv6-link-local-host-discovery-concept.html

> For hosts discovery over Internet, it becomes harder on IPv6 for its address
> space is quite large. We can take use of these methods below by NSE scripts
> before we find a more effective method.
> 1. Avoid scanning address block that can't be routed.
> The global BGP information is available on http://www.routeviews.org/.
> Take use of SLAAC mechanism.
> Since most IPv6 networks use SLAAC mechanism to configuring IPv6 address and
> most OSes generate EUI-64 by use of MAC,the scanning space is reduced to /24
> if the prefix and ether vendor have been confirmed.
> The vendor codes are available on these pages:
> http://standards.ieee.org/develop/regauth/oui/oui.txt
> https://db.uga.edu/network/public/vendorcode.cgi
> 3. Take use of IPv4-mapped or -compatible address
> Actually I don't think it is necessary since we can reach the goal through
> IPv4. We had better focus on native IPv6 network.
>  I plan to implement IPv6 host discovery first. The work will involve the
> raw packet host discovery, traceroute6 and NSE scripts. I'm also interested
> in OS detection but I'm not sure whether I have enough time. Please give me
> an advice:)

I think that both host discovery and OS detection are big enough to be
their own projects.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/