[ipv6hackers] nmap's and msf's spoofed-ra scan technique?
Fernando Gont
fgont at si6networks.com
Wed Apr 25 11:30:54 CEST 2012
Folks,
After digging a bit into the aforementioned local-scan technique (see:
<http://lists.si6networks.com/pipermail/ipv6hackers/2012-March/000500.html>),
it turns out that nmap's script is kind of a port (?) of the
corresponding Metasploit's script.
Digging into the code, I found a reference to a blog post by the author
of the (metasploit's) script
<http://wuntee.blogspot.com.ar/2010/11/ipv6-link-local-host-discovery-concept.html>
Apparently, this "technique" was envisioned to address the case in which
a host does not respond to multicasted pings. However, this seems to
miss these two (by far cleaner) scanning vectors:
* Packets with an unrecognized option of type 10xxxxxx
* Packets with an unrecognized header
... both of which elicit ICMPv6 error messages.
Has anyone found a real world device that cannot be discovered with
these two vectors (in addition to the traditional multicasted ping6)?
Unless there's a real use case for this technique, I'd say I find it
noisy and maybe even disruptive.
Thoughts?
Thanks!
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list