[ipv6hackers] Scanning for IPv6 addresses embedding TCP/UDP service ports

Fernando Gont fgont at si6networks.com
Fri Feb 22 03:15:17 CET 2013


Based on Tor's suggestion, I'm planning to enhance the scan6 tool to be
able to scan for IPv6 addresses embedding service ports (for example,
addresses such as fc00:1::25, fc00.1::80, etc.).

Lookig at /etc/services, these are the service port numbers that, at
first sight, looked worthwhile to include:

---- cut here ----
ftp		21/tcp
ssh		22/tcp				# SSH Remote Login Protocol
telnet		23/tcp
smtp		25/tcp		mail
tacacs		49/tcp				# Login Host Protocol (TACACS)
domain		53/tcp				# Domain Name Server
http		80/tcp		www		# WorldWideWeb HTTP
pop3		110/tcp		pop-3		# POP version 3
ntp		123/tcp
bgp		179/tcp				# Border Gateway Protocol
imap3		220/tcp				# Interactive Mail Access
ldap		389/tcp			# Lightweight Directory Access Protocol
https		443/tcp				# http protocol over TLS/SSL
dhcpv6-server	547/tcp
imaps		993/tcp				# IMAP over SSL
pop3s		995/tcp				# POP-3 over SSL
openvpn		1194/tcp
mysql		3306/tcp
sip		5060/tcp			# Session Initiation Protocol
sip-tls		5061/tcp
postgresql	5432/tcp	postgres	# PostgreSQL Database
mysql-proxy	6446/tcp			# MySQL Proxy
http-alt	8080/tcp	webcache	# WWW caching service
---- cut here ----

For obvious reasons, the transport-protocol above (i.e., TCP vs. UDP) is
meaningless, since we're not scanning *ports* but rather IPv6 addresses
that embed service ports.

Two related questions are.
* Have I missed any interesting ports?
* Have I included any ports that are not really worthwhile? (and hence
should probably remove them from the list).

And, finally:
* I was considering that, for every service port, scan6 should probably
scan for:


This would mean that when scanning for an IPv6 address from the prefix
fc00:1::/64 embedding port 80, we'd probe these addresses:


The idea is, of course, to also target addresses that embed the service
port, but also change the second lowest-order word.

Has anyone seen these patterns? Does it make sense to add them as part
of "scan for IPv6 addresses embedding service ports"?

Should we just scan for fc00:1::port? Or maybe expand the range a bit as in:


Thoughts and/or comments welcome :-)

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list