[ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6 OSDetection)

fred fred at fredbovy.com
Tue Sep 27 23:23:57 CEST 2011 

There will always be people who don't follow the safety recommendations.

I just read a RFC from Canada which recommend the mirroring for subnet
allocation ala IPv4

This is given in their security policy which is public:

Canadian Internet Registration Authority (CIRA)
Jacques Latour
Director, Information Technology
 Ottawa, April 29, 2011

€IP Addressing Plan
­Based on most efficient algorithm (RFC 3531)
­Leftmost bits (48, 49, 50,...) are assigned to segment the site
­The rightmost bits (63, 62, 61, 60 ...) are assigned to number the links.

This makes it easy to find active subnets at least...

Fred


Le 27/09/2011 23:11, « Eric Vyncke (evyncke) » <evyncke at cisco.com> a écrit :

> And of course addresses ending with ::1 or ::FF or ::abba:babe (for Swedish
> people)... I.e. a potential 'dictionary attack' against IPv4 addresses...
> 
> And for people using transition mechanism (6to4, ISATAP, ...) where the IPv4
> address is embedded (more or less) into the IPv6 address, then, scanning those
> 'pseudo IPv6 network' is related to scanning an IPv4 network such as 10/8....
> 
> -éric
> 
>> -----Original Message-----
>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>> bounces at lists.si6networks.com] On Behalf Of Richard Barnes
>> Sent: mardi 27 septembre 2011 22:39
>> To: IPv6 Hackers Mailing List
>> Subject: Re: [ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6
>> OSDetection)
>> 
>> My guess is that as we see more IPv6 deployment, we'll start to see
>> some statistical tendencies in IPv6 addresses.  There will be a
>> certain noise floor driven by things like privacy addresses, but there
>> will also be some structured things that emerge from things like
>> EUI-64 addresses and DHCPv6-based addressing plans.  Ultimately, there
>> will probably be some guided probabilistic scanning that produces
>> non-useless results.
>> 
>> It would be an interesting study to do to see if there are any
>> discernible patterns.  Anyone have a bucket of known-live addresses
>> they want to loan me? :)
>> 
>> --Richard
>> 
>> 
>> 
>> On Tue, Sep 27, 2011 at 3:49 PM, Fernando Gont <fgont at si6networks.com>
>> wrote:
>>> On 09/27/2011 04:34 PM, Joe Klein wrote:
>>>> Brute force scanning of an IPv6 range is impractical, as it has always
>>>> been.
>>> 
>>> Brute force scanning is, as the name implies, brute. :-) For IPv4,
>>> there's little "return of investment" in adding heuristics/intelligence
>>> (*) to your scan approach, because the address space is small. In IPv6,
>>> the address space is much larger, and then there *is* a high potential
>>> return of investment if more brains are put into scanning techniques.
>>> 
>>> (*) I'm just referring to "how to select targets", rather than about the
>>> details of a particular scanning technique (idle-scan, ACK scan, etc.)
>>> -- i.e., nmap should make it obvious to everyone that there were/are
>>> lots of cool things to do.
>>> 
>>> 
>>>> Five or six years ago I had seen discussions about feeding
>>>> lists of IPv6 addresses into nmap to perform a scan.  Even today, I
>>>> got a call from customers telling me about 'someone is trying to scan
>>>> our IPv6 segments', but after reviewing the logs, they are performing
>>>> linear scans.  [Attacker 0 | Defender 1]
>>> 
>>> Well, this should just be taken as a script-kiddie doing network
>>> reconnaissance, and/or as a hint that there's still lots of work to do
>>> in the area of IPv6 reconnaissance. -- but never as a sign of IPv6
>>> scanning being unfeasible!
>>> 
>>> Thanks,
>>> --
>>> Fernando Gont
>>> SI6 Networks
>>> e-mail: fgont at si6networks.com
>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

-- 

Fred Bovy
fred at fredbovy.com
Skype: fredericbovy
Mobile: +33676198206
Siret: 5221049000017
Twitter: http://twitter.com/#!/FredBovy
Blog: http://fredbovyipv6.blogspot.com/
ccie #3013

More information about the Ipv6hackers mailing list