[ipv6hackers] Help wanted: Nmap IPv6 OS Detection

Eric Vyncke (evyncke) evyncke at cisco.com
Tue Sep 27 21:59:59 CEST 2011


Rather than 'scanning', I should have written: 'doing reconnaissance on a local IPv6 network by sending ping6 ff02::1' (which BTW OS should not reply to but they do...).

The 'comic' of the situation is that nmap is used more often by CISOs than by attackers of course... CISOs need to have an inventory (cfr discussion SLAAC & DHCP)

As a side note: a rogue-RA MITM also allows for reconnaissance but this is obviously trivial... Even more trivial is MAC spoofing of the router MAC (assuming no 'port security' to speak Cisco-ese)


> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Joe Klein
> Sent: mardi 27 septembre 2011 21:35
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] Help wanted: Nmap IPv6 OS Detection
> Eric,
> Brute force scanning of an IPv6 range is impractical, as it has always
> been.  Five or six years ago I had seen discussions about feeding
> lists of IPv6 addresses into nmap to perform a scan.  Even today, I
> got a call from customers telling me about 'someone is trying to scan
> our IPv6 segments', but after reviewing the logs, they are performing
> linear scans.  [Attacker 0 | Defender 1]
> On a humorous note, we estimated the customer would be retired for six
> years, before the attacker's strategy would find the first device.
> Today, enumerating an IPv6 segment, network or infrastructure requires
> more finesse then did IPv4. Soon that will change.
> Joe Klein
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list