[ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6 OS Detection)

Joe Klein jsklein at gmail.com
Wed Sep 28 03:39:11 CEST 2011


So what is the ROI for adding heuristics/intelligence to any
reconnaissance, be it IPv4 or IPv6? It makes my audit, assessment or
pen test faster!  Don’t know how your customers are, but mine set
deadlines for testing, and if I can’t find the devices during the
recon phase, I can never deliver a great result. Kind of why I wrote
my own tools… Get the job done, and do a great job.

Also, the ROI for a defender is fast discovery of devices on a
network, especially if the system was poorly architected and managed
infrastructure.  I keep seeing IPv4 thinking on IPv6 network, thank
you IT!

Also, I applaud Fyodor and his team for their work on the IPv6 nmap
update.  I sent Fyodor an algorithm I use to quickly discover ISATAP
tunnels on different types of network.

The scanning I mentioned early today --- It turned out to be an
auditor with one of those big auditing firm. In the auditor case, they
needed a brief on IPv6 or yet another magical tool, to do that job for

I respectfully disagree; current IPv6 scanning from an arbitrary
endpoint is unfeasible.  Just as unfeasible as it was in 1988, when I
had access to 64k lines, no roadmap (now called ARIN and RIR/CIR) and
no tools. Brute forcing addresses ICMP messages were the only way to
‘test’ to see if systems existed. Glad I learned about IPv4 broadcast
addresses, similar ffo2::1 or ffo5::1 in IPv6.

Fernando, I do agree, there is need for allot of education to move the
management, IT, security, audit and product vendor to the ‘next

Joe Klein

More information about the Ipv6hackers mailing list