Re: Finding v6 hosts by efficiently mapping ip6.arpa

[Fyodor <fyodor () insecure org>]

On Sun, Apr 01, 2012 at 03:06:48PM +0200, Patrik Karlsson wrote:
> I just committed an Nmap script called dns-ip6-arpa-scan.nse, that
> implements the technique.  It uses multiple threads to do the lookup
> and I was amazed by the result.

That's a great script!  And with the recent changes by David, it is
working well for me.  Here are some ideas for improvement in case you
or anyone else (perhaps one of the SoC NSE applicants) finds more time
to work on this:

o Instead of separate "prefix" and "mask" arguments, maybe it could
  support them together like Nmap generally does for IPv4.  Examples
  could be "2600:3c01::f03c:91ff:fe93:cd19/112",
  "scanme.nmap.org/112", or "2600:3c01/32".  Besides being an easier
  syntax to use, this would allow the script to accept multiple
  prefixes/masks.

o It should probably be a targets-* script (like
  targets-ipv6-multicast-echo and such) so that discovered hosts
  can be easily added to the scan queue.

o It might be desirable to check for wildcard DNS so that it doesn't
  spend a huge amount of time (and results space) enumerating giant
  wildcarded blocks.

o Marc heuse says that his dnsrevenum6 can scan 2a01:238:42a8::/48 in
  8 seconds and finding 4 hosts.  But when I just tried with Nmap, it
  took 505 seconds and didn't find any hosts.  I used this command:

  nmap -v --script dns-ip6-arpa-scan --script-args='prefix=2a01:238:42a8:e700,mask=48'

o This is a minor detail, but I am a bit torn about whether the name
  should contain "ip6" (as now) or "ipv6" (as our other IPv6 scripts
  do).  Even though it actually is walking "ip6.arpa", I'm leaning
  toward the idea that "ipv6" would be better in the script name.

o Another minor detail is that it would be nice if it printed the
  number of hosts discovered.  This could go in the "dns-ip6-arpa-scan:"
  line which is otherwise empty anyway.

In an ideal world, we could use an upgraded version of this script to
scan the whole IPv6 Internet :).

The script did work well when I scanned the /112's of scanme.nmap.org
and nmap.org.  Example:

# ./nmap -v --script dns-ip6-arpa-scan --script-args='prefix=2600:3c01::f03c:91ff:fe93:cd19,mask=112'

Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-04 10:41 PDT
[Cut some verbose lines]
Pre-scan script results:
| dns-ip6-arpa-scan: 
| ip                                 ptr
| 2600:3c01:0:0:f03c:91ff:fe93:1130  athena.bitcasa.com
| 2600:3c01:0:0:f03c:91ff:fe93:115c  node2.amphibious.org
| 2600:3c01:0:0:f03c:91ff:fe93:12d8  lizardwiki.dyndns.org
| 2600:3c01:0:0:f03c:91ff:fe93:1441  linode.jnraptor.com
| 2600:3c01:0:0:f03c:91ff:fe93:146a  durandal.rampant.io
| 2600:3c01:0:0:f03c:91ff:fe93:14b3  pinepara.info
| 2600:3c01:0:0:f03c:91ff:fe93:14e0  neptune.lucidwebdesign.net
| 2600:3c01:0:0:f03c:91ff:fe93:14e1  mynode.nl
| 2600:3c01:0:0:f03c:91ff:fe93:1674  redis.tigerlilyplatform.com
| 2600:3c01:0:0:f03c:91ff:fe93:1a18  katherine.fremont.ca.us.nisn.nasutek.org
| 2600:3c01:0:0:f03c:91ff:fe93:1a31  facepalm.jpe.gs
| 2600:3c01:0:0:f03c:91ff:fe93:1d85  dev.thehousecat.com
| 2600:3c01:0:0:f03c:91ff:fe93:1dee  ipv6.leopard.net
| 2600:3c01:0:0:f03c:91ff:fe93:1e2   mongo.runwire.com
| 2600:3c01:0:0:f03c:91ff:fe93:1fb0  linode.vps.icybear.net
| 2600:3c01:0:0:f03c:91ff:fe93:268c  espresso.killd9.net
| 2600:3c01:0:0:f03c:91ff:fe93:2901  sank.pentabarf.net
| 2600:3c01:0:0:f03c:91ff:fe93:2a25  lembacon.com
| 2600:3c01:0:0:f03c:91ff:fe93:2f2a  booleanhaiku.com
| 2600:3c01:0:0:f03c:91ff:fe93:2f8e  tndb.us
| 2600:3c01:0:0:f03c:91ff:fe93:30bf  lukecod.es
| 2600:3c01:0:0:f03c:91ff:fe93:31a9  srv-9331a9.frem.xl12.net
| 2600:3c01:0:0:f03c:91ff:fe93:336e  jedediahsmith.kashpureff.com
| 2600:3c01:0:0:f03c:91ff:fe93:344d  pyro.fbrtech.com
| 2600:3c01:0:0:f03c:91ff:fe93:39cc  server.imycard.com
| 2600:3c01:0:0:f03c:91ff:fe93:3add  www6.labelswitched.net
| 2600:3c01:0:0:f03c:91ff:fe93:3c89  crankshaft.activeservices.net.au
| 2600:3c01:0:0:f03c:91ff:fe93:3caa  redis-demo.tigerlilyplatform.com
| 2600:3c01:0:0:f03c:91ff:fe93:4d7a  ca-01.us.nurve.com.au
| 2600:3c01:0:0:f03c:91ff:fe93:51d3  mail.hamachi.us
| 2600:3c01:0:0:f03c:91ff:fe93:51e6  cougar.ca.mumbleboxes.com
| 2600:3c01:0:0:f03c:91ff:fe93:526e  ipv6.dmright.com
| 2600:3c01:0:0:f03c:91ff:fe93:5290  derpatron.qial.net
| 2600:3c01:0:0:f03c:91ff:fe93:561c  atreides.flpghlp.com
| 2600:3c01:0:0:f03c:91ff:fe93:5a09  bid1.bid.bespokeinnovations.com
| 2600:3c01:0:0:f03c:91ff:fe93:5cfe  remy.s.zbasu.net
| 2600:3c01:0:0:f03c:91ff:fe93:5d4b  2600:3c01::f03c:91ff:fe93:5d4b
| 2600:3c01:0:0:f03c:91ff:fe93:60bb  discovery.wyldryde.org
| 2600:3c01:0:0:f03c:91ff:fe93:6418  hydrogen.deeperdesign.co:0:f03c:91ff:fe93:e332  theplanet.ca
| 2600:3c01:0:0:f03c:91ff:fe93:e3a3  freecnam.org
| 2600:3c01:0:0:f03c:91ff:fe93:e3b   zeus.dodekatheon.puxlit.net
| 2600:3c01:0:0:f03c:91ff:fe93:e565  mail.icanhaz.ca
| 2600:3c01:0:0:f03c:91ff:fe93:e6f3  lin6.ingber.com
| 2600:3c01:0:0:f03c:91ff:fe93:eabc  www.benjaminpike.net
| 2600:3c01:0:0:f03c:91ff:fe93:eb17  h1tman.com
| 2600:3c01:0:0:f03c:91ff:fe93:ec49  factory.tigerlilyplatform.com
| 2600:3c01:0:0:f03c:91ff:fe93:ee5f  server.imycard.com
| 2600:3c01:0:0:f03c:91ff:fe93:f174  server.imycard.com
| 2600:3c01:0:0:f03c:91ff:fe93:f4db  rww.name
| 2600:3c01:0:0:f03c:91ff:fe93:f5df  arpa.unixnode.org
| 2600:3c01:0:0:f03c:91ff:fe93:f65   virtual-server-02.zone12.net
| 2600:3c01:0:0:f03c:91ff:fe93:f73c  es2eng.com
| 2600:3c01:0:0:f03c:91ff:fe93:fa80  linss.com
| 2600:3c01:0:0:f03c:91ff:fe93:fab2  theleakycauldron.niftystopwatch.net
| 2600:3c01:0:0:f03c:91ff:fe93:fafd  rolandwarmerdam.co.nz
|_2600:3c01:0:0:f03c:91ff:fe93:fb19  caravanserai.manxomefae.com
Nmap done: 0 IP addresses (0 hosts up) scanned in 535.55 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/