Nmap Development mailing list archives
Re: Finding v6 hosts by efficiently mapping ip6.arpa
From: Fyodor <fyodor () insecure org>
Date: Wed, 4 Apr 2012 11:34:36 -0700
On Sun, Apr 01, 2012 at 03:06:48PM +0200, Patrik Karlsson wrote:
I just committed an Nmap script called dns-ip6-arpa-scan.nse, that implements the technique. It uses multiple threads to do the lookup and I was amazed by the result.
That's a great script! And with the recent changes by David, it is working well for me. Here are some ideas for improvement in case you or anyone else (perhaps one of the SoC NSE applicants) finds more time to work on this: o Instead of separate "prefix" and "mask" arguments, maybe it could support them together like Nmap generally does for IPv4. Examples could be "2600:3c01::f03c:91ff:fe93:cd19/112", "scanme.nmap.org/112", or "2600:3c01/32". Besides being an easier syntax to use, this would allow the script to accept multiple prefixes/masks. o It should probably be a targets-* script (like targets-ipv6-multicast-echo and such) so that discovered hosts can be easily added to the scan queue. o It might be desirable to check for wildcard DNS so that it doesn't spend a huge amount of time (and results space) enumerating giant wildcarded blocks. o Marc heuse says that his dnsrevenum6 can scan 2a01:238:42a8::/48 in 8 seconds and finding 4 hosts. But when I just tried with Nmap, it took 505 seconds and didn't find any hosts. I used this command: nmap -v --script dns-ip6-arpa-scan --script-args='prefix=2a01:238:42a8:e700,mask=48' o This is a minor detail, but I am a bit torn about whether the name should contain "ip6" (as now) or "ipv6" (as our other IPv6 scripts do). Even though it actually is walking "ip6.arpa", I'm leaning toward the idea that "ipv6" would be better in the script name. o Another minor detail is that it would be nice if it printed the number of hosts discovered. This could go in the "dns-ip6-arpa-scan:" line which is otherwise empty anyway. In an ideal world, we could use an upgraded version of this script to scan the whole IPv6 Internet :). The script did work well when I scanned the /112's of scanme.nmap.org and nmap.org. Example: # ./nmap -v --script dns-ip6-arpa-scan --script-args='prefix=2600:3c01::f03c:91ff:fe93:cd19,mask=112' Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-04 10:41 PDT [Cut some verbose lines] Pre-scan script results: | dns-ip6-arpa-scan: | ip ptr | 2600:3c01:0:0:f03c:91ff:fe93:1130 athena.bitcasa.com | 2600:3c01:0:0:f03c:91ff:fe93:115c node2.amphibious.org | 2600:3c01:0:0:f03c:91ff:fe93:12d8 lizardwiki.dyndns.org | 2600:3c01:0:0:f03c:91ff:fe93:1441 linode.jnraptor.com | 2600:3c01:0:0:f03c:91ff:fe93:146a durandal.rampant.io | 2600:3c01:0:0:f03c:91ff:fe93:14b3 pinepara.info | 2600:3c01:0:0:f03c:91ff:fe93:14e0 neptune.lucidwebdesign.net | 2600:3c01:0:0:f03c:91ff:fe93:14e1 mynode.nl | 2600:3c01:0:0:f03c:91ff:fe93:1674 redis.tigerlilyplatform.com | 2600:3c01:0:0:f03c:91ff:fe93:1a18 katherine.fremont.ca.us.nisn.nasutek.org | 2600:3c01:0:0:f03c:91ff:fe93:1a31 facepalm.jpe.gs | 2600:3c01:0:0:f03c:91ff:fe93:1d85 dev.thehousecat.com | 2600:3c01:0:0:f03c:91ff:fe93:1dee ipv6.leopard.net | 2600:3c01:0:0:f03c:91ff:fe93:1e2 mongo.runwire.com | 2600:3c01:0:0:f03c:91ff:fe93:1fb0 linode.vps.icybear.net | 2600:3c01:0:0:f03c:91ff:fe93:268c espresso.killd9.net | 2600:3c01:0:0:f03c:91ff:fe93:2901 sank.pentabarf.net | 2600:3c01:0:0:f03c:91ff:fe93:2a25 lembacon.com | 2600:3c01:0:0:f03c:91ff:fe93:2f2a booleanhaiku.com | 2600:3c01:0:0:f03c:91ff:fe93:2f8e tndb.us | 2600:3c01:0:0:f03c:91ff:fe93:30bf lukecod.es | 2600:3c01:0:0:f03c:91ff:fe93:31a9 srv-9331a9.frem.xl12.net | 2600:3c01:0:0:f03c:91ff:fe93:336e jedediahsmith.kashpureff.com | 2600:3c01:0:0:f03c:91ff:fe93:344d pyro.fbrtech.com | 2600:3c01:0:0:f03c:91ff:fe93:39cc server.imycard.com | 2600:3c01:0:0:f03c:91ff:fe93:3add www6.labelswitched.net | 2600:3c01:0:0:f03c:91ff:fe93:3c89 crankshaft.activeservices.net.au | 2600:3c01:0:0:f03c:91ff:fe93:3caa redis-demo.tigerlilyplatform.com | 2600:3c01:0:0:f03c:91ff:fe93:4d7a ca-01.us.nurve.com.au | 2600:3c01:0:0:f03c:91ff:fe93:51d3 mail.hamachi.us | 2600:3c01:0:0:f03c:91ff:fe93:51e6 cougar.ca.mumbleboxes.com | 2600:3c01:0:0:f03c:91ff:fe93:526e ipv6.dmright.com | 2600:3c01:0:0:f03c:91ff:fe93:5290 derpatron.qial.net | 2600:3c01:0:0:f03c:91ff:fe93:561c atreides.flpghlp.com | 2600:3c01:0:0:f03c:91ff:fe93:5a09 bid1.bid.bespokeinnovations.com | 2600:3c01:0:0:f03c:91ff:fe93:5cfe remy.s.zbasu.net | 2600:3c01:0:0:f03c:91ff:fe93:5d4b 2600:3c01::f03c:91ff:fe93:5d4b | 2600:3c01:0:0:f03c:91ff:fe93:60bb discovery.wyldryde.org | 2600:3c01:0:0:f03c:91ff:fe93:6418 hydrogen.deeperdesign.co:0:f03c:91ff:fe93:e332 theplanet.ca | 2600:3c01:0:0:f03c:91ff:fe93:e3a3 freecnam.org | 2600:3c01:0:0:f03c:91ff:fe93:e3b zeus.dodekatheon.puxlit.net | 2600:3c01:0:0:f03c:91ff:fe93:e565 mail.icanhaz.ca | 2600:3c01:0:0:f03c:91ff:fe93:e6f3 lin6.ingber.com | 2600:3c01:0:0:f03c:91ff:fe93:eabc www.benjaminpike.net | 2600:3c01:0:0:f03c:91ff:fe93:eb17 h1tman.com | 2600:3c01:0:0:f03c:91ff:fe93:ec49 factory.tigerlilyplatform.com | 2600:3c01:0:0:f03c:91ff:fe93:ee5f server.imycard.com | 2600:3c01:0:0:f03c:91ff:fe93:f174 server.imycard.com | 2600:3c01:0:0:f03c:91ff:fe93:f4db rww.name | 2600:3c01:0:0:f03c:91ff:fe93:f5df arpa.unixnode.org | 2600:3c01:0:0:f03c:91ff:fe93:f65 virtual-server-02.zone12.net | 2600:3c01:0:0:f03c:91ff:fe93:f73c es2eng.com | 2600:3c01:0:0:f03c:91ff:fe93:fa80 linss.com | 2600:3c01:0:0:f03c:91ff:fe93:fab2 theleakycauldron.niftystopwatch.net | 2600:3c01:0:0:f03c:91ff:fe93:fafd rolandwarmerdam.co.nz |_2600:3c01:0:0:f03c:91ff:fe93:fb19 caravanserai.manxomefae.com Nmap done: 0 IP addresses (0 hosts up) scanned in 535.55 seconds Raw packets sent: 0 (0B) | Rcvd: 0 (0B) Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Finding v6 hosts by efficiently mapping ip6.arpa Thierry Zoller (Apr 01)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Patrik Karlsson (Apr 01)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Daniel Miller (Apr 01)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa David Fifield (Apr 01)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa David Fifield (Apr 01)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Patrik Karlsson (Apr 01)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Fyodor (Apr 04)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Patrik Karlsson (Apr 04)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Daniel Miller (Apr 04)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Patrik Karlsson (Apr 05)
- Re: Finding v6 hosts by efficiently mapping ip6.arpa Patrik Karlsson (Apr 01)