Re: Nmap and IPv6

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2008 09:13 PM, DePriest, Jason R. wrote:
> I am having some general problems with IPv6 scanning with nmap.
>
> I have two systems on a wireless LAN that have IPv6 addresses.  They
> can ping each other.
>
> Nmap says no, sir.
>
> Laptop running nmap - fe80::a800:4ff:fe00:a04
> System I am scanning - fe80::210:5aff:fe1d:5c3f
>
> Hey, look!  I can ping it!
> depriest@hole:~$ ping6 -I eth2 fe80::210:5aff:fe1d:5c3f
> PING fe80::210:5aff:fe1d:5c3f(fe80::210:5aff:fe1d:5c3f) from
> fe80::a800:4ff:fe00:a04 eth2: 56 data bytes
> 64 bytes from fe80::210:5aff:fe1d:5c3f: icmp_seq=1 ttl=64 time=1.07 ms
> 64 bytes from fe80::210:5aff:fe1d:5c3f: icmp_seq=2 ttl=64 time=1.04 ms
> 64 bytes from fe80::210:5aff:fe1d:5c3f: icmp_seq=3 ttl=64 time=1.07 ms
> 64 bytes from fe80::210:5aff:fe1d:5c3f: icmp_seq=4 ttl=64 time=1.46 ms
> ^C
> --- fe80::210:5aff:fe1d:5c3f ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 3010ms
> rtt min/avg/max/mdev = 1.040/1.164/1.460/0.173 ms
>
> Nmap is sad.
> depriest@hole:~$ sudo nmap -sP -6 fe80::210:5aff:fe1d:5c3f
>
> Starting Nmap 4.76 ( http://nmap.org ) at 2008-10-17 21:06 CDT
> Strange error from connect (22):Invalid argument
> Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
> Nmap done: 1 IP address (0 hosts up) scanned in 0.21 seconds
>
> What is this "invalid argument" it speaks of?
>
> Dunno, but here is a more informative error messge.
> CONN (0.2710s) TCP localhost > fe80::210:5aff:fe1d:5c3f:22 => Invalid argument
>
> I did a fancier scan and ended up with 2000 of those.
> depriest@hole:~$ grep "Invalid argument" nmap-ipv6.nmap | wc -l
> 2000
>
> I am attaching the log file for someone who knows more about nmap -6 to look at.

I think you just need to specify the interface to use via the perfect syntax
(see below).  This is required because link-local addresses are
interface-specific.  I added support for this syntax for link-local scanning
in Nmap this past May:

o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
  On Windows, this ID has to be a numeric index.  On Linux and some
  other OS's, this ID can instead be an interface name.  Some examples
  of this syntax:
    fe80::20f:b0ff:fec6:15af%2
    fe80::20f:b0ff:fec6:15af%eth0
  [Kris]

If you haven't already seen it, you may be interested in HD Moore's recent
paper[1] on IPv6, which also happens to mention the above support in Nmap.

> Thanks in advance folks.
>
> -Jason

Thanks,
Kris Katterjohn

[1] http://www.milw0rm.com/papers/233

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSPlX9f9K37xXYl36AQJJQA//U7CbAWGjw4kicDKduO6DalHvv0z+BQzc
EiuVkpTbj/FU8KOn0ND1CUXpMGnxwERibB1B8ZsU5Gm5+rqVOre/naE2tCOKL/3U
JmeUHkKnOMnANARu3Bp530ADJuPuY/IjyPbhKuqpiUvg9zKrObwhAniZWC6O0uFo
ndwUEtXGEskFHMydjK/TkxMSBB6uv3RoX4SAh0CHwqoNSbCb/GJOfB3AWvbKS2Lp
eQDa85dK9TA4I0eE7IAriU7vedLpjvIORYUI7Uy5RoUSMKphnU46mQIVJsTDyAMu
6kLOxOGzSm406LZHpDum/nn05zhRKjHD/YkRF3Viyh9fH6m6SxbPP8VMpZ4a2rDS
16KEsqY0gjjZAqZbwmJn8rD4+NT26EmO1rnK3lx0KJYpkqgCJXCUwe2tQSoDq7Uq
YiX38Wt2wCSanD/FBtJF0JfBz0QDcqERqqIAw9S9ozCOCr31LDSNQ83pFaK57Oqj
XS/n9WrSymV7YHnmh8L5dpzAjAUeVGeIVtF907U6Nma2SGCo7NGxdIn3JCw/TAP1
qa5ocSwD+RdWiQdW4NVjXJn6O4QQ6vSy/heAm008yEL0a5cmfv3OLHw32HUjhUZ+
DKQhHTL0PBzuqLLs7wIzVMM59fFds6uxY8MZAPuiipQVDI2qCGkEQ16+UERDR98n
0Gi6qMDfZ7c=
=Azzp
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org