Re: EXPERT IPv6 network scaning

[Patrik Karlsson <patrik () cqure net>]

On Tue, Apr 17, 2012 at 11:25 PM, David Fifield <david () bamsoftware com>wrote:
> This is another good idea. You could even just try stuffing the MAC
> address into the EUI-64 format and try pinging it.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

I gave this a try and ran into some problems.
First, making this a target script proved difficult as the script makes use
of both ipv4 and ipv6.
In the attached script I do discovery by adding a hostrule that stores the
MAC of scanned ipv4 hosts where it detects it.
Trying to add the ipv6 address at this point fails as nmap is running in
ipv4 mode.

In the postrule, I try to ping the EUI-64 address, which also turned out to
be difficult, as in order to create the raw icmp ping, we need the source
ipv6 address. We can't get that, as get_interface_info will use the current
socket family to retrieve info.
I modified the get_interface_info to take a second optional argument
("inet" or "inet6") to override the current socket family.

So the resulting script does find ipv6 addresses by detecting the MAC of
scanned ipv4 LAN hosts.
However, it only lists them and does not add them to the scan queue.

I'm attaching both the script and the patch, any comments or suggestions
would be great.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77

Attachment: nse_dnet-iface-info.patch
Description:

Attachment: ipv6-eui64-discover.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/