[ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6 OSDetection)
jsklein at gmail.com
Wed Sep 28 04:00:30 CEST 2011
You forgot ::0, ::DEAD:BEEF, ::1337 or 1EE7:A0R (an upgrade from the
IPv4 1337 'elite hacker'). Then there is the english and none english
dictionary attacks via the 'easy to remember' IPv6 addresses!
I have seen several papers on in over the years. Fernando even
mentions it in his slides.
On Tue, Sep 27, 2011 at 5:11 PM, Eric Vyncke (evyncke)
<evyncke at cisco.com> wrote:
> And of course addresses ending with ::1 or ::FF or ::abba:babe (for Swedish people)... I.e. a potential 'dictionary attack' against IPv4 addresses...
> And for people using transition mechanism (6to4, ISATAP, ...) where the IPv4 address is embedded (more or less) into the IPv6 address, then, scanning those 'pseudo IPv6 network' is related to scanning an IPv4 network such as 10/8....
>> -----Original Message-----
>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>> bounces at lists.si6networks.com] On Behalf Of Richard Barnes
>> Sent: mardi 27 septembre 2011 22:39
>> To: IPv6 Hackers Mailing List
>> Subject: Re: [ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6
>> My guess is that as we see more IPv6 deployment, we'll start to see
>> some statistical tendencies in IPv6 addresses. There will be a
>> certain noise floor driven by things like privacy addresses, but there
>> will also be some structured things that emerge from things like
>> EUI-64 addresses and DHCPv6-based addressing plans. Ultimately, there
>> will probably be some guided probabilistic scanning that produces
>> non-useless results.
>> It would be an interesting study to do to see if there are any
>> discernible patterns. Anyone have a bucket of known-live addresses
>> they want to loan me? :)
>> On Tue, Sep 27, 2011 at 3:49 PM, Fernando Gont <fgont at si6networks.com>
>> > On 09/27/2011 04:34 PM, Joe Klein wrote:
>> >> Brute force scanning of an IPv6 range is impractical, as it has always
>> >> been.
>> > Brute force scanning is, as the name implies, brute. :-) For IPv4,
>> > there's little "return of investment" in adding heuristics/intelligence
>> > (*) to your scan approach, because the address space is small. In IPv6,
>> > the address space is much larger, and then there *is* a high potential
>> > return of investment if more brains are put into scanning techniques.
>> > (*) I'm just referring to "how to select targets", rather than about the
>> > details of a particular scanning technique (idle-scan, ACK scan, etc.)
>> > -- i.e., nmap should make it obvious to everyone that there were/are
>> > lots of cool things to do.
>> >> Five or six years ago I had seen discussions about feeding
>> >> lists of IPv6 addresses into nmap to perform a scan. Even today, I
>> >> got a call from customers telling me about 'someone is trying to scan
>> >> our IPv6 segments', but after reviewing the logs, they are performing
>> >> linear scans. [Attacker 0 | Defender 1]
>> > Well, this should just be taken as a script-kiddie doing network
>> > reconnaissance, and/or as a hint that there's still lots of work to do
>> > in the area of IPv6 reconnaissance. -- but never as a sign of IPv6
>> > scanning being unfeasible!
>> > Thanks,
>> > --
>> > Fernando Gont
>> > SI6 Networks
>> > e-mail: fgont at si6networks.com
>> > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>> > _______________________________________________
>> > Ipv6hackers mailing list
>> > Ipv6hackers at lists.si6networks.com
>> > http://lists.si6networks.com/listinfo/ipv6hackers
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers