[ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6 OSDetection)

fred fred at fredbovy.com
Wed Sep 28 05:24:03 CEST 2011


And what about bad:cafe:: ????

With dead:beef:: I had a problem once with cisco router using addresses with
dead:beef:: and having enabled an option to check the memory for any
corruption.

And the router was crashing or sending some bad Tracebacks messages all the
time.

 I raised a bug and after investigation, the DE told me that it was normal
because I was using an address with dead:beef which is a marker for
corrupted memory ! So without the service which check that there is no
memory corruption on a regular basis it is no problem. But if you enable
this checking, the the router find a problem everytime it reads the address
with dead:beef:: !!! Not a bug... It was not fixed :-)))
And I changed my address for dead:bee to solve the problem during my testing
!

Fred




Le 28/09/2011 04:00, « Joe Klein » <jsklein at gmail.com> a écrit :

> Eric,
> 
> You forgot ::0, ::DEAD:BEEF, ::1337 or 1EE7:A0R (an upgrade from the
> IPv4 1337 'elite hacker'). Then there is the english and none english
> dictionary attacks via the 'easy to remember' IPv6 addresses!
> 
> Richard,
> 
> I have seen several papers on in over the years. Fernando even
> mentions it in his slides.
> 
> Joe Klein
> 
> 
> On Tue, Sep 27, 2011 at 5:11 PM, Eric Vyncke (evyncke)
> <evyncke at cisco.com> wrote:
>> And of course addresses ending with ::1 or ::FF or ::abba:babe (for Swedish
>> people)... I.e. a potential 'dictionary attack' against IPv4 addresses...
>> 
>> And for people using transition mechanism (6to4, ISATAP, ...) where the IPv4
>> address is embedded (more or less) into the IPv6 address, then, scanning
>> those 'pseudo IPv6 network' is related to scanning an IPv4 network such as
>> 10/8....
>> 
>> -éric
>> 
>>> -----Original Message-----
>>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>>> bounces at lists.si6networks.com] On Behalf Of Richard Barnes
>>> Sent: mardi 27 septembre 2011 22:39
>>> To: IPv6 Hackers Mailing List
>>> Subject: Re: [ipv6hackers] IPv6 scanning (was Re: Help wanted: Nmap IPv6
>>> OSDetection)
>>> 
>>> My guess is that as we see more IPv6 deployment, we'll start to see
>>> some statistical tendencies in IPv6 addresses.  There will be a
>>> certain noise floor driven by things like privacy addresses, but there
>>> will also be some structured things that emerge from things like
>>> EUI-64 addresses and DHCPv6-based addressing plans.  Ultimately, there
>>> will probably be some guided probabilistic scanning that produces
>>> non-useless results.
>>> 
>>> It would be an interesting study to do to see if there are any
>>> discernible patterns.  Anyone have a bucket of known-live addresses
>>> they want to loan me? :)
>>> 
>>> --Richard
>>> 
>>> 
>>> 
>>> On Tue, Sep 27, 2011 at 3:49 PM, Fernando Gont <fgont at si6networks.com>
>>> wrote:
>>>> On 09/27/2011 04:34 PM, Joe Klein wrote:
>>>>> Brute force scanning of an IPv6 range is impractical, as it has always
>>>>> been.
>>>> 
>>>> Brute force scanning is, as the name implies, brute. :-) For IPv4,
>>>> there's little "return of investment" in adding heuristics/intelligence
>>>> (*) to your scan approach, because the address space is small. In IPv6,
>>>> the address space is much larger, and then there *is* a high potential
>>>> return of investment if more brains are put into scanning techniques.
>>>> 
>>>> (*) I'm just referring to "how to select targets", rather than about the
>>>> details of a particular scanning technique (idle-scan, ACK scan, etc.)
>>>> -- i.e., nmap should make it obvious to everyone that there were/are
>>>> lots of cool things to do.
>>>> 
>>>> 
>>>>> Five or six years ago I had seen discussions about feeding
>>>>> lists of IPv6 addresses into nmap to perform a scan.  Even today, I
>>>>> got a call from customers telling me about 'someone is trying to scan
>>>>> our IPv6 segments', but after reviewing the logs, they are performing
>>>>> linear scans.  [Attacker 0 | Defender 1]
>>>> 
>>>> Well, this should just be taken as a script-kiddie doing network
>>>> reconnaissance, and/or as a hint that there's still lots of work to do
>>>> in the area of IPv6 reconnaissance. -- but never as a sign of IPv6
>>>> scanning being unfeasible!
>>>> 
>>>> Thanks,
>>>> --
>>>> Fernando Gont
>>>> SI6 Networks
>>>> e-mail: fgont at si6networks.com
>>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Ipv6hackers mailing list
>>>> Ipv6hackers at lists.si6networks.com
>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>>> 
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

-- 

Fred Bovy
fred at fredbovy.com
Skype: fredericbovy
Mobile: +33676198206
Siret: 5221049000017
Twitter: http://twitter.com/#!/FredBovy
Blog: http://fredbovyipv6.blogspot.com/
ccie #3013
 






More information about the Ipv6hackers mailing list