Nmap Development mailing list archives
Re: NSE scripts for scanning IPv6 sub-nets
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 2 Dec 2014 08:25:55 -0600
Raúl, I'm sorry it has taken us a year before your scripts made it into Nmap, but I can happily say that targets-ipv6-recon-map4to6 was added in r33851. I'm pretty sure I can work through the others fairly well, but I'm curious about your technique for interrogating DHCPv6 servers to enumerate subnets. I'm reading through your thesis paper, but my spanish is poor, especially in regard to technical topics. I would appreciate a short description in English that answers these questions: 1. Are all DHCPv6 servers vulnerable to this technique, or does it need a specific configuration to work? I understand that network devices and ACLs could block the script, but I mean aside from that. 2. Why can we not just get the subnet directly from the DHCP server? Is the process of forwarding a request very different from a DHCPv4 request, in which the response would have all necessary information like netmask, broadcast address, gateway, etc.? 3. Is there a potential for an automated system of determining subnets 1 bit at a time? Example: given the network 2001:db8:c0ca::/64, can we try 2001:db8:c0ca:8000::/65 and 2001:db8:c0ca:0::/65 and get a rejection from only one of them? This would allow us to treat the server as a binary oracle and build a tree of valid subnets. I apologize if some of these questions seem elementary, but my knowledge of the protocol is not very deep at the moment, and I have too many other projects to be able to delve into it deeply. I just need to know enough to categorize the script and perhaps enhance some of the documentation. Thanks! Dan On Sun, Dec 15, 2013 at 9:55 PM, Raul Fuentes <ra.fuentess.sam () gmail com> wrote:
Hello, I was working with Nmap for my master's thesis which consist on exploring IPv6 sub-nets, the work were based on the ideaas proposed on http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02 As Nmap was key for my thesis I took the choice of made my work with the Creative Commons license and the nse scripts with the 6.20 nmap licensing. On general, I developed the next scripts: 1 - Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF 2 - Map 4to6: Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1 3 - SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24 bits) 4 - Woords: A simple dictionary of the low parts (defualt words like C0CA, BEEF, etc) 5 - A technique proposed by myself for retrieve syubnet info from DHCPv6 stateful servers. Personally, I like my final results, the scripts are useful as they reduce the exploration from 64 bits to 24 or less (however there is real risk of DoS as http://tools.ietf.org/html/rfc6583 explain) . Each set of scripts can be work on any combo and their arguments give good flexibility (or I believed it). The current repository is: https://code.google.com/p/itsis-mx/ and the thesis (which have the best documented part of the work) is in the same repository with this url: https://itsis-mx.googlecode.com/git/Thesis-spanish.pdf (appendix C, p. 91 hast the most practical info for the scripts) My thesis and the first page of the repository are on Spanish, but the codes are written on English. If the community find those useful I'll begin to work the Wikis for translate the most useful part of the thesis. -- Sincerely, Eng. Raul A. Fuentes Samaniego _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE scripts for scanning IPv6 sub-nets Daniel Miller (Dec 02)
- Re: NSE scripts for scanning IPv6 sub-nets Raul Fuentes (Dec 02)