[ipv6hackers] Help wanted: Nmap IPv6 OS Detection

Fyodor fyodor at insecure.org
Tue Sep 27 19:41:28 CEST 2011

Hi folks.  It has been great to see this list take off in the last
week and discuss so many security issues.

At the Nmap Project, we've made IPv6 a high priority.  We've supported
the basics (e.g. TCP port scanning and host discovery) since 2002, but
we've lately expanded that to include raw packet scans (SYN scan, ACK
scan, etc.), UDP, multicast host discovery, traceroute, etc.  Nmap.org
has an AAAA record, and we also have scanme.nmap.org/scanmev6.nmap.org
for people to test against.

Another thing we're working on (and the main point of this email) is
IPv6 OS detection.  We've developed a system that we think has a lot
of potential, but we need to collect an initial training set of IPv6
fingerprints for the database.  I'm hoping some of you can help.
We've tried to make the process as easy as possible.

You can generate fingerprints using the latest SVN version of Nmap, or
by grabbing 5.61TEST1 from http://nmap.org/download.html.  We have
Windows, Mac, and Linux binary packages available.

STEP 1, Finding the IPv6 machines on your network (if you don't
already know their addresses):

Once you have Nmap compiled or installed, you can start with a command
like this to find IPv6 addresses on your network:

nmap -6 -sP -v -e eth0 --script targets-ipv6-multicast-echo,targets-ipv6-multicast-slaac --script-args newtargets

In the command above, you might need to specify a different interface
than eth0.  Try 'nmap --iflist' for a list of candidates.

You should be able to see the MAC addresses and vendor, which should
give a clue as to which devices they are.  You might be surprised at
what you find.  For example, I had no idea that my printer was
listening on IPv6.

Another way to get addresses is to log into machines and use ifconfig
(UNIX) or ipconfig (Win) to learn about any configured IPv6 addresses.
Even if the user hasn't configured one themselves or used IPv6, they
often at least have link local addresses that you can scan from
another machine on the same network segment.

STEP 2, Collecting and submitting fingerprints:

Once you've decided what device(s) to scan, you can do so like:

nmap -6 -A -v [IPv6 hostname(s) or address(es) here]

Note that it will go faster with just -O instead of -A, but I like to
use the latter as a sort of sanity check to ensure (from the version
banners, etc.) that I'm scanning the machine I think I am.  Bad
submissions can corrupt the DB, which would be a huge shame when it is
just getting started like this.

Nmap will print a fingerprint (it's labeled so you'll recognize it)
for each machine.  Then you just need to cut & paste it into our
simple web form, along with information about the remote system's OS.
Here is the form:


We're hoping to formally release this new OS detection system as soon
as we receive and integrate enough fingerprints to make it reliable.
So the sooner you can get fingerprints in to us, the sooner we can
release.  Submissions today and tomorrow would be particularly useful

Also, the raw packet IPv6 code and the IPv6 OS detection code is very
new.  So please tell us if you encounter any problems.  We have bug
reporting instructions at http://nmap.org/book/man-bugs.html.

I hope that improving IPv6 support in networking tools (Nmap in this
case) will encourage greater adoption of IPv6 in general.


More information about the Ipv6hackers mailing list