[ipv6hackers] IPv6 Security research

Marc Heuse mh at mh-sec.de
Wed Mar 28 09:48:09 CEST 2012

Hi Owen!

Am 28.03.2012 05:14, schrieb Owen DeLong:
> This requires you to have access to or compromise at least
> one machine on the target network first. I'd be more
> concerned about remote scanning attacks than local ones.

penetration test assignments are often performed locally (internal
audits, infrastructure reviews before going live, etc. (and playing
scanning games at conferences too).
So this is something penetration testers (like me) have to solve.

But I totally agree, remote scanning techniques is the harder and more
interesting part. I'd like to see more on this topic, further research
from what I have published. And my published techniques get a bit
obsolete, I heard that several DHCPv6 implementations now moved to
random allocation.

> If you're local, why not just enumerate the solicited
> node addresses (there are only 16.7M of them, after all)
> with ND packets and look for the answers. That should grab
> 100% success and works regardless of RA or any other
> mitigation tool.

in the hope of learning something new here:
what does this help? of course you could scan for ff02::1:ffXX:YY:ZZ
(which is like scanning a IPv4 A class network) but I do not see how
this helps. It is still a multicast address, so you can simply use
ff02::1 as well. You can't TCP portscan a multicast address, NDP to a
multicast address gets (of course) no result, and the same ping-reply
restrictions apply to the solicitated node multicast address as for the
all nodes multicast address. So I'm clueless how this would work.


Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list