[ipv6hackers] nmap's and msf's spoofed-ra scan technique?

Fernando Gont fgont at si6networks.com
Wed Apr 25 11:30:54 CEST 2012


Folks,

After digging a bit into the aforementioned local-scan technique (see:
<http://lists.si6networks.com/pipermail/ipv6hackers/2012-March/000500.html>),
it turns out that nmap's script is kind of a port (?) of the
corresponding Metasploit's script.

Digging into the code, I found a reference to a blog post by the author
of the (metasploit's) script
<http://wuntee.blogspot.com.ar/2010/11/ipv6-link-local-host-discovery-concept.html>

Apparently, this "technique" was envisioned to address the case in which
a host does not respond to multicasted pings. However, this seems to
miss these two (by far cleaner) scanning vectors:

* Packets with an unrecognized option of type 10xxxxxx
* Packets with an unrecognized header

... both of which elicit ICMPv6 error messages.

Has anyone found a real world device that cannot be discovered with
these two vectors (in addition to the traditional multicasted ping6)?

Unless there's a real use case for this technique, I'd say I find it
noisy and maybe even disruptive.

Thoughts?

Thanks!
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492





More information about the Ipv6hackers mailing list