[ipv6hackers] nmap NSE scripts

Fyodor fyodor at nmap.org
Fri Oct 11 01:26:25 CEST 2013

On Mon, Oct 7, 2013 at 3:01 PM, Adam Števko <adam.stevko at gmail.com> wrote:

> Hi guys,
> as a part of a semester project, I decided to enhance nmap with several
> NSE scripts for various IPv6 vulnerabilities. These NSE scripts should be
> based on their counterparts from various IPv6 toolkits available out there,
> most notably thc-ipv6 and IPv6 toolkit. Implementing some of those tools as
> nmap NSE scripts will make them available to a larger audience and enable
> to run on wide range of platforms.

Hi Adam.  We'd certainly appreciate your help as IPv6 has long been a major
Nmap priority.  I added the initial support more than 11 years ago (August
2002) and it has slowly improved to the point where almost all Nmap
functionality now supports IPv6.  That includes raw packet port scanning,
version detection, our custom machine-learning-based IPv6 OS detection
system, and of course the Nmap Scripting Engine.  We're also rather proud
of our multicast IPv6 host discovery systems.

That being said, there is always room for improvement.  And NSE is usually
the best way to implement new techniques.  Nmap's top priority is network
discovery, so that functionality is most welcome.  Also, you'll want to
make sure you don't duplicate our existing IPv6-related scripts, such as:

* Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses
the response, then extracts and prints the address along with any options
returned by the server.

dns-ip6-arpa-scan http://nmap.org/nsedoc/scripts/dns-ip6-arpa-scan.html
* Performs a quick reverse DNS lookup of an IPv6 network using a technique
which analyzes DNS server response codes to dramatically reduce the number
of queries needed to enumerate large networks.

ipv6-node-info http://nmap.org/nsedoc/scripts/ipv6-node-info.html
* Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information

ipv6-ra-flood http://nmap.org/nsedoc/scripts/ipv6-ra-flood.html
* Generates a flood of Router Advertisements (RA) with random source MAC
addresses and IPv6 prefixes. Computers, which have stateless
autoconfiguration enabled by default (every major OS),  will start to
compute IPv6 suffix and update their routing table to reflect the accepted
announcement. This will cause 100% CPU usage on Windows and platforms,
preventing to process other application requests.

* Sends an ICMPv6 echo request packet to the all-nodes link-local multicast
address (<code>ff02::1</code>) to discover responsive hosts on a LAN
without needing to individually ping each IPv6 address.

* Sends an ICMPv6 packet with an invalid extension header to the all-nodes
link-local multicast address (<code>ff02::1</code>) to discover (some)
available hosts on the LAN. This works because some hosts will respond to
this probe with an ICMPv6 Parameter Problem packet.

* Attempts to discover available IPv6 hosts on the LAN by sending an MLD
(multicast listener discovery) query to the link-local multicast address
(ff02::1) and listening for any responses.  The query's maximum response
delay set to 0 to provoke hosts to respond immediately rather than waiting
for other responses from their multicast group.

* Performs IPv6 host discovery by triggering stateless address
auto-configuration (SLAAC).

One of our main criteria for accepting new scripts is that they meet a
concrete need of security/networking admins/analysts.  So instead of just
saying "this sends an IPv6 blahblah probe and prints the response", tell us
why someone might send such a probe and how the information returned can be

Also, as Fernando noted, you don't need to base all your ideas on thc-ipv6
and the IPv6 Toolkit.  Those are wonderful tools, but you don't need to
limit yourself to things they can already do.

Cheers, and best wishes for your project!

More information about the Ipv6hackers mailing list