Re: Resources for IPv6 version detection

[David Fifield <david () bamsoftware com>]

On Thu, Aug 05, 2010 at 01:50:32PM -0600, David Fifield wrote:
> I'm looking at the TODO item "Analyze what sort of work would likely be
> required for Nmap to support OS detection over IPv6 to a target." and
> have found some resources to share. You can reply to this thread with
> any other resources you know about or OS detection techniques you've
> thought of.
>
> Kris wrote an analysis of the difficulties involved in sending raw IPv6
> packets. We don't have direct access to the packet buffer to interact
> with the header but can modify it through ancillary means. It is
> possible that we don't need such comprehensive access for OS detection
> only. It occurs to me we could work around this by manipulating a raw
> packet buffer as before, and having the sending functions peek inside it
> to set the necessary options.
>
> GSoC RFC: Raw IPv6 Scans
> http://seclists.org/nmap-dev/2008/q1/458
>
> The only program I was able to find that does IPv6 OS detection is
> SinFP. It has a mostly unified IPv4/IPv6 detection engine. Its database
> contains IPv6 fingerprints, and it can also fall back to using an IPv4
> fingerprint when an IPv6 match fails (-4 option). The following
> correlation is used between IPv4 and IPv6:
>       IPv4 ID -> IPv6 flow label
>       IPv4 TTL -> IPv6 hop limit
>       IPv4 DF -> IPv6 traffic class
>
> http://www.gomor.org/sinfp
> http://www.gomor.org/files/sinfp-jcv.pdf
>
> I found this master's thesis useful. It evaluates Nmap's IPv4 detection
> probes (section IV. B.) against IPv6 stacks (section IV. D.). It also
> proposes new IPv6-only probes (section V. A.) and tests a small number
> of them (section V. B.). It appears that the richest source of new
> fingerprinting techniques, apart perhaps from new protocols like ICMPv6,
> are extension headers.
>
> IPv6 Host Fingerprint
> http://faculty.nps.edu/xie/theses/06Sep_Nerakis.pdf
>
> A potential new protocol for OS detection is NDR.
>
> IPv6 Neighbor Discovery Protocol based OS Fingerprinting
> http://hal.inria.fr/docs/00/16/99/90/PDF/technical_report_fingerprinting.pdf
>
> This is a list of RFCs I'e highlighted as relevant so far.
>
> Internet Protocol, Version 6 (IPv6)
> http://tools.ietf.org/html/rfc2460
>
> Advanced Sockets Application Program Interface (API) for IPv6
> http://tools.ietf.org/html/rfc3542
>
> Internet Control Message Protocol (ICMPv6) for the Internet Protocol
> Version 6 (IPv6)
> http://tools.ietf.org/html/rfc4443
>
> Neighbor Discovery for IP version 6 (IPv6)
> http://tools.ietf.org/html/rfc4861

Here are some more. Matt Ryanczak gave a talk at Def Con about
implementing IPv6 at ARIN, in which he recommended to read RFC 4942, 
"IPv6 Transition/Coexistence Security Considerations."

https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Ryanczak
http://tools.ietf.org/html/rfc4942

This isn't directly related to OS detection, but THC has a suite of IPv6
tools including one called alive6 that does host discovery. I was
thinking this could be a good application of the new NSE prerules and
the proposed patch to allow scripts to add new targets to the scanning
queue.

http://freeworld.thc.org/thc-ipv6/

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/