[ipv6hackers] Scanning for IPv6 addresses embedding TCP/UDP service ports

Jim Small jim.small at cdw.com
Sun Mar 17 23:34:35 CET 2013

Hi Fabian,

> On 17.03.2013 21:44, Jim Small wrote:
> > So the real question is, just because Samba binds the NetBIOS
> > Session Service to an IPv6 socket, does it actually work?  A
> It does work!
> I think that on TCP/445 this is direct SMB over TCP and does not
> need NetBIOS any more, so this is probably why it is working.

Sorry, I should have been more specific.  Assuming Samba is emulating Windows (which was the original idea), I can confirm that TCP/445 is direct hosting of SMB/CIFS over TCP.  It doesn't use NetBIOS.  To use NetBIOS you use the session service which runs over TCP/139.

Here's the Microsoft KB showing this:

> I tried only from the same host, as I did not had a useful
> version of smbclient available somewhere else in my LAN. Finder
> from Mac OS X could not connect to the IPv6 hostname.
>  From the client side:
> fabian at superman:~ $ host superman.ip6
> superman.ip6.wenks.ch has IPv6 address 2001:8a8:1005:2::180
> superman.ip6.wenks.ch has IPv6 address 2001:8a8:1005:1::3
> fabian at superman:~ $ smbclient //superman.ip6/download -U fabian
> Enter fabian's password:
> Domain=[WENKS] OS=[Unix] Server=[Samba 3.6.12]
> smb: \>
> And on the server:
> root at superman:~ # smbstatus
> WARNING: No path in service IPC$ - making it unavailable!
> Samba version 3.6.12
> PID     Username      Group         Machine
> -----------------------------------------------------------------
> 26621    fabian      fabian      superman    (2001:8a8:1005:1::3)
> Service      pid     machine       Connected at
> -------------------------------------------------------
> download     26621   superman      Sun Mar 17 22:19:04 2013
> No locked files
> root at superman:~ #
> And netstat on the server (output a little bit squeezed to
> hopefully avoid line wrap):
> root at superman:~ # netstat -an | egrep "139|445"
> tcp6 0 0 2001:8a8:1005:1:.445  2001:8a8:1005:1:.54734 ESTABLISHED
> tcp6 0 0 2001:8a8:1005:1:.54734 2001:8a8:1005:1:.445  ESTABLISHED
> tcp4 0 0 *.139                  *.*                   LISTEN
> tcp4 0 0 *.445                  *.*                   LISTEN
> tcp6 0 0 *.139                  *.*                   LISTEN
> tcp6 0 0 *.445                  *.*                   LISTEN
> root at superman:~ #

So I'm curious if it's possible to do an SMB connection via TCP/139 over IPv6.  If it doesn't work you could see if you could get it to work with a static entry in an lmhosts files.  In Windows this is %windir%\system32\drivers\etc\lmhosts where %windir% is often C:\Windows.  For Samba lmhosts is in the config directory - depends on the setup.  See lmhosts(5) man page.

> I just got the below output from a friend from his Windows Server
> 2008R2 (which also has IPv6). He could force the connect to IPv6
> with (output anonymized):
> net use b: \\2002-xxxx-xxxx-xxx--xxx.ipv6-literal.net\share
> PS C:\Users\Administrator> netstat -an | where {$_ -match "445"}
>    TCP                LISTEN
>    TCP    [::]:445               [::]:0                 LISTEN
>    TCP    [2002:xxxx:xxxx:xxx::xx]:445
> [2002:xxxx:xxxx:xxx:xxxx:xxxx:xxxx:xxxx]:60836  ESTABLISHED
> Already with normal usage it does prefer to connect over IPv6,

Yes - Windows implements RFC 3484 so by default it prefers:
1)  IPv6 (general)
2)  6to4 prefixes
3)  IPv4
4)  Teredo

You can view the Windows prefix policy table with netsh:
D:\>netsh int ipv6 show pref
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        30      2  2002::/16
        20      3  ::/96
        10      4  ::ffff:0:0/96
         5      5  2001::/32

> if both protocols are available. He also told me, when IPv6 is
> disabled on the interface for an Exchange system, it will not
> work and give lots of strange error messages. :)

Regarding Exchange Microsoft warns that disabling IPv6 will cause problems with installation and mail flow.  It is possible to make it work without IPv6 for some versions.  However, Microsoft does not officially support disabling IPv6 since Vista.  Per their FAQ they do not test Windows without IPv6 and many services actually depend on it, see:
" From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6-such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail-could be."

I also have a Windows 2008 R2 Server.  For NetBIOS services it only listens on IPv4, not on IPv6.  For SMB/CIFS direct hosting (TCP/445) it listens on both IPv4 and IPv6.  The net use commands do not necessarily have to use NetBIOS - they do work over IPv6 using either DNS/LLMNR or the ipv6.literal name space for actual IPv6 addresses.  I've spent some time playing with this and monitoring with Wireshark.

However, the fact that Samba listens on both v4/v6 for TCP/139 could be a vulnerability since NetBIOS is not designed to work over IPv6.  That said, what are the odds of someone making an address with the NetBIOS session service (TCP/139) embedded in the address?


More information about the Ipv6hackers mailing list