[ipv6hackers] nmap's and msf's spoofed-ra scan technique?

Fernando Gont fgont at si6networks.com
Wed Apr 25 11:30:54 CEST 2012


After digging a bit into the aforementioned local-scan technique (see:
it turns out that nmap's script is kind of a port (?) of the
corresponding Metasploit's script.

Digging into the code, I found a reference to a blog post by the author
of the (metasploit's) script

Apparently, this "technique" was envisioned to address the case in which
a host does not respond to multicasted pings. However, this seems to
miss these two (by far cleaner) scanning vectors:

* Packets with an unrecognized option of type 10xxxxxx
* Packets with an unrecognized header

... both of which elicit ICMPv6 error messages.

Has anyone found a real world device that cannot be discovered with
these two vectors (in addition to the traditional multicasted ping6)?

Unless there's a real use case for this technique, I'd say I find it
noisy and maybe even disruptive.


Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list