Re: NSE scripts for scanning IPv6 sub-nets

[Daniel Miller <bonsaiviking () gmail com>]

Raúl,

I'm sorry it has taken us a year before your scripts made it into Nmap, but
I can happily say that targets-ipv6-recon-map4to6 was added in r33851.

I'm pretty sure I can work through the others fairly well, but I'm curious
about your technique for interrogating DHCPv6 servers to enumerate subnets.
I'm reading through your thesis paper, but my spanish is poor, especially
in regard to technical topics. I would appreciate a short description in
English that answers these questions:

1. Are all DHCPv6 servers vulnerable to this technique, or does it need a
specific configuration to work? I understand that network devices and ACLs
could block the script, but I mean aside from that.

2. Why can we not just get the subnet directly from the DHCP server? Is the
process of forwarding a request very different from a DHCPv4 request, in
which the response would have all necessary information like netmask,
broadcast address, gateway, etc.?

3. Is there a potential for an automated system of determining subnets 1
bit at a time? Example: given the network 2001:db8:c0ca::/64, can we try
2001:db8:c0ca:8000::/65 and 2001:db8:c0ca:0::/65 and get a rejection from
only one of them? This would allow us to treat the server as a binary
oracle and build a tree of valid subnets.

I apologize if some of these questions seem elementary, but my knowledge of
the protocol is not very deep at the moment, and I have too many other
projects to be able to delve into it deeply. I just need to know enough to
categorize the script and perhaps enhance some of the documentation. Thanks!

Dan

On Sun, Dec 15, 2013 at 9:55 PM, Raul Fuentes <ra.fuentess.sam () gmail com>
wrote:

> Hello, I was working with Nmap for my master's thesis which consist on
>  exploring IPv6 sub-nets, the work were based on the ideaas proposed on
> http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02
>
> As Nmap was key for my thesis I took the choice of made  my work  with the
> Creative Commons license  and the nse scripts with the 6.20 nmap licensing.
>
> On general, I developed the next scripts:
>
> 1 -  Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF
> 2 -  Map 4to6:  Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1
> 3 -  SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24
> bits)
> 4 -  Woords: A simple dictionary of the low parts (defualt words like C0CA,
> BEEF, etc)
> 5 - A technique proposed by myself for retrieve syubnet info from DHCPv6
> stateful servers.
>
> Personally, I like my final results, the scripts are useful as they reduce
> the exploration from 64 bits to 24 or less  (however there is real risk of
> DoS as http://tools.ietf.org/html/rfc6583 explain) . Each set of scripts
>  can be work on any combo and their arguments give good flexibility (or  I
> believed it).
>
> The current repository is: https://code.google.com/p/itsis-mx/ and the
> thesis (which have the best documented part of the work)  is in the same
> repository with this url:
> https://itsis-mx.googlecode.com/git/Thesis-spanish.pdf (appendix C, p. 91
>  hast the most practical info for the scripts)
>
> My thesis and the first page of the repository are on Spanish, but the
> codes are written on English.  If the community find those useful I'll
> begin to work the Wikis for translate the most useful part of the thesis.
>
> --
> Sincerely, Eng. Raul A. Fuentes Samaniego
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/