[ipv6hackers] IPv6 Security research

Fernando Gont fgont at si6networks.com
Sun Mar 25 21:55:18 CEST 2012

Hi, Fyodor,

On 03/23/2012 05:07 PM, Fyodor wrote:
> 3. Send an ICMPv6 router acknowledgement packet with a random address
>    prefix, causing hosts to begin stateless address auto-configuration
>    (SLAAC) and send a solicitation for their newly configured
>    address. We can then guess the remote addresses by combining the
>    link-local prefix of the interface with the interface identifier in
>    each of the received solicitations. 

Maybe there's a writeo in the documentation?

>    An ordinary ICMPv6 neighbor
>    discovery probe can then be used to verify that the guessed
>    addresses are correct.  This is implemented within our
>    targets-ipv6-multicast-slaac script
>    (http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html).

I don't quite understand this vector. i.e., this seems more of a DoS,
rather than a host scanning "attack". i.e., you're causing nodes to
*configure* addresses rather than discovering which addresses they are
already using.

Am I missing something?

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list