[ipv6hackers] Scanning for IPv6 addresses embedding TCP/UDP service ports

Fernando Gont fgont at si6networks.com
Fri Feb 22 03:15:17 CET 2013 

Folks,

Based on Tor's suggestion, I'm planning to enhance the scan6 tool to be
able to scan for IPv6 addresses embedding service ports (for example,
addresses such as fc00:1::25, fc00.1::80, etc.).

Lookig at /etc/services, these are the service port numbers that, at
first sight, looked worthwhile to include:

---- cut here ----
ftp		21/tcp
ssh		22/tcp				# SSH Remote Login Protocol
telnet		23/tcp
smtp		25/tcp		mail
tacacs		49/tcp				# Login Host Protocol (TACACS)
domain		53/tcp				# Domain Name Server
http		80/tcp		www		# WorldWideWeb HTTP
pop3		110/tcp		pop-3		# POP version 3
ntp		123/tcp
bgp		179/tcp				# Border Gateway Protocol
imap3		220/tcp				# Interactive Mail Access
ldap		389/tcp			# Lightweight Directory Access Protocol
https		443/tcp				# http protocol over TLS/SSL
dhcpv6-server	547/tcp
imaps		993/tcp				# IMAP over SSL
pop3s		995/tcp				# POP-3 over SSL
openvpn		1194/tcp
mysql		3306/tcp
sip		5060/tcp			# Session Initiation Protocol
sip-tls		5061/tcp
postgresql	5432/tcp	postgres	# PostgreSQL Database
mysql-proxy	6446/tcp			# MySQL Proxy
http-alt	8080/tcp	webcache	# WWW caching service
---- cut here ----

For obvious reasons, the transport-protocol above (i.e., TCP vs. UDP) is
meaningless, since we're not scanning *ports* but rather IPv6 addresses
that embed service ports.

Two related questions are.
* Have I missed any interesting ports?
* Have I included any ports that are not really worthwhile? (and hence
should probably remove them from the list).

And, finally:
* I was considering that, for every service port, scan6 should probably
scan for:

PREFIX::0-5:PORT

This would mean that when scanning for an IPv6 address from the prefix
fc00:1::/64 embedding port 80, we'd probe these addresses:

fc00:1::0:80
fc00:1::1:80
fc00:1::2:80
fc00:1::3:80
fc00:1::4:80
fc00:1::5:80

The idea is, of course, to also target addresses that embed the service
port, but also change the second lowest-order word.

Has anyone seen these patterns? Does it make sense to add them as part
of "scan for IPv6 addresses embedding service ports"?

Should we just scan for fc00:1::port? Or maybe expand the range a bit as in:

PREFIX::0-5:0-5:0-5:port?


Thoughts and/or comments welcome :-)

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list