[ipv6hackers] IPv6 Security research

Fyodor fyodor at insecure.org
Fri Mar 23 21:07:36 CET 2012 

On Fri, Mar 23, 2012 at 12:30:23PM -0700, Fyodor wrote:
> 
> o Advanced multicast host discovery is our newest IPv6 feature, and is
>   one I'm quite excited about.  In fact, I'll send a separate email
>   describing it shortly :).

And here is that mail :).  We started researching the most effective
IPv6 LAN discovery methods, including straighforward ones (e.g. ping
the all-nodes link-local multicast address) and more clever techniques
devised by Marc Heuse and other researchers.  In the end, we
implemented three of them.  They work best as a combination, since
different operating systems respond to different types of queries.
They are all written as NSE scripts, though we might move them into
core Nmap where most of the IPv4 host discovery techniques are.  These
are the three techniques:

1. Send an ICMPv6 echo request packet to the all-nodes link-local
   multicast address (ff02::1). When ICMP echo response packets are
   received, collect the IPv6 addresses that they come from and mark
   those hosts as potential scan targets.  This is a rather
   straightforward technique which uses the protocols as designed, and
   (just like using ICMPv4 echo request packets for host discover) it
   is quite effective. We have implemented this with our
   targets-ipv6-multicast-echo script, which is documented at
   http://nmap.org/nsedoc/scripts/targets-ipv6-multicast- echo.html
   and is available from that page or within the Nmap 5.61TEST5
   packages on the Nmap download site.

2. Send an ICMPv6 packet with an invalid extension header to the
   all-nodes link-local multicast address. Any hosts replying with an
   ICMPv6 parameter problem packet can be marked as up and available
   for potential scanning. This is implemented with our
   targets-ipv6-multicast-invalid-dst script
   (http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-invalid-dst.html).

3. Send an ICMPv6 router acknowledgement packet with a random address
   prefix, causing hosts to begin stateless address auto-configuration
   (SLAAC) and send a solicitation for their newly configured
   address. We can then guess the remote addresses by combining the
   link-local prefix of the interface with the interface identifier in
   each of the received solicitations. An ordinary ICMPv6 neighbor
   discovery probe can then be used to verify that the guessed
   addresses are correct.  This is implemented within our
   targets-ipv6-multicast-slaac script
   (http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html).

Here is an example of all three of these scripts being combined to
discover all of the IPv6 hosts on a small home LAN (I've XX'd out some
address bytes):

# nmap -v -n -sn --script targets-ipv6-\*
Starting Nmap 5.61TEST4 ( http://nmap.org )
NSE: Loaded 3 scripts for scanning.
Pre-scan script results:
| targets-ipv6-multicast-echo:
| IP: fe80::226:55ff:XXXX:XXXX MAC: 00:26:55:XX:XX:XX IFACE: eth0
| IP: 2002:43a9:54c8:0:226:55ff:XXXX:XXXX MAC: 00:26:55:XX:XX:XX IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst:
| IP: 2002:43a9:54c8:0:226:55ff:XXXX:XXXX MAC: 00:26:55:XX:XX:XX IFACE: eth0
| IP: fe80::147a:4e63:XXXX:XXXX MAC: 00:0c:29:XX:XX:XX IFACE: eth0
| IP: 2002:43a9:54c8:0:553d:455:XXXX:XXXX MAC: 00:0c:29:XX:XX:XX IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-slaac:
| IP: fe80::226:55ff:XXXX:XXXX MAC: 00:26:55:XX:XX:XX IFACE: eth0
| IP: fe80::147a:4e63:XXXX:XXXX MAC: 00:0c:29:XX:XX:XX IFACE: eth0
| IP: fe80::7529:7394:XXXX:XXXX MAC: 00:0c:29:XX:XX:XX IFACE: eth0
|_ Use --script-args=newtargets to add the results as targets
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 2.71 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Note that each of the three scripts above produced a slightly
different set of discovered IPv6 addresses. That is the reason for
trying multiple scripts at once. If you pass Nmap the "--script-args
newtargets" argument, it will combine the lists and scan all five of
the unique IPv6 adresses discovered.

Cheers,
Fyodor

More information about the Ipv6hackers mailing list