Re: [NSE] Script submission: targets-ipv6-wordy

[Everardo Padilla Saca <everardo.padilla.saca () gmail com>]

Raul Fuentes <ra.fuentess.sam <at> gmail.com> writes:

> As told before, my big concern is the already overhead once you combine all
> the scripts and all the memory need to have all the potential addresses.

You didn't mention anything about other scripts (???).
For the record, this script is not combined with any other.

> You approach generate all the possible words, true [...]

False. It generates all the possible words *given a wordlist*. This means the 
script takes the words from a list, and the algorith generates the 
combinations.

> [...] but is truly useful ?

I believe it is. Suppose you want to scan the following network: 
2001:0DB8:AC10:FE01:AAAA:BBBB:0000:0000/96
If you want to try "wordy" addresses first, you do:

$ nmap -6 --script targets-ipv6-wordy.nse --script-args 
  'newtargets,
  targets-ipv6-wordy.wordlist=my_words.txt,
  targets-ipv6-wordy.segments="7,8",
  targets-ipv6-wordy.base-address="2001:0DB8:AC10:FE01:AAAA:BBBB:0000:0000"'

And that will tell Nmap to scan addresses that have words (from the specified 
wordlist) in the 7th and 8th segments.

> Is like a dictionary attack or brute force attack,  for a general quick
> approach to try to detect a IPv6 address as 2001:db8:c0ca:dead:beef (or a
> passwords as 123adobe or qwerty) is a truly idea try to get all the
> possible combinations or just the most  common 1000-10,000
> passwords/address?  [...]

Like I just wrote, the script uses a wordlist. This can be seen as a 
dictionary attack. It's up to the user to configure the wordlist to his/her 
needs.

> When I implemented the wordly script,   I choice the
> second approach, that is the reason for the DB, as well is a good place
>  for store already discovered EUI-64 addresses.
> About many DB, for the standard user can be easy and transparent, even Nmap
> has his own  multiple DB, even the SLAAC script uses the Nmap MAC vendors
> DB. And for a audit security user, he eventually  need to update or tune
> Nmap DB for his own needs on specific auditories .

I'm not sure if I understand your concept of database. Are you suggesting to 
have a database for all the generated addresses? Or for the words that will be 
used to generate these addresses? (this last approach is done by this script, 
as explained above). If you are suggesting to do the first approach, to save 
all the generated addresses in a file for later scanning, that would be 
impractical because you would have to write all the addresses to a file, and 
then read them again via another script and feed them to Nmap when you already 
had them in memory before. To make most of Nmap's parallelization features, I 
believe the generated addresses must be put inside Nmap's queue***, rather 
than being read from a file and then given to Nmap one by one.
 
> By the way,  I have not seen you progress with the scripts, but a full scan
> of 24 bits with almost all your scripts running at same time, how much time
> take?  It's a good idea to give more time with the approach you want?
>  (IPv4 for Nmap can be  a lot of time)

Like I mentioned above, this script is not combined with any other. The time 
it takes to generate the addresses depends on how many segments the user chose 
and how many words the wordlist contains. It's up to the security professional 
to choose how many addresses will be generated by tweaking the wordlist and 
choosing the right amount of segments appropriate to his/her available 
resources.

***Suggestions are welcome.

Cheers,
Everardo.

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/