[ipv6hackers] nmap's and msf's spoofed-ra scan technique?
fgont at si6networks.com
Wed Apr 25 11:30:54 CEST 2012
After digging a bit into the aforementioned local-scan technique (see:
it turns out that nmap's script is kind of a port (?) of the
corresponding Metasploit's script.
Digging into the code, I found a reference to a blog post by the author
of the (metasploit's) script
Apparently, this "technique" was envisioned to address the case in which
a host does not respond to multicasted pings. However, this seems to
miss these two (by far cleaner) scanning vectors:
* Packets with an unrecognized option of type 10xxxxxx
* Packets with an unrecognized header
... both of which elicit ICMPv6 error messages.
Has anyone found a real world device that cannot be discovered with
these two vectors (in addition to the traditional multicasted ping6)?
Unless there's a real use case for this technique, I'd say I find it
noisy and maybe even disruptive.
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers