[ipv6hackers] nmap NSE scripts

Marc Heuse mh at mh-sec.de
Fri Oct 11 21:54:25 CEST 2013

Hi Joe,

why not making your nse scripts public?
I'd guess a lot of people would be happy :-)


Marc Heuse
PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573

On 11.10.2013 19:24, Joe Klein wrote:
> Adam,
> I had done the same thing, converting my IPv6 c++  and SCAPY attack/audit
> applications into a private nmap scripts repository, as a fun exercise. The
> scripts work better, since the recent nmap upgrade.  So thank you Fyodor
> for making nmap better for scripting.
> Joe Klein
> On Thu, Oct 10, 2013 at 7:26 PM, Fyodor <fyodor at nmap.org> wrote:
>> On Mon, Oct 7, 2013 at 3:01 PM, Adam Števko <adam.stevko at gmail.com> wrote:
>>> Hi guys,
>>> as a part of a semester project, I decided to enhance nmap with several
>>> NSE scripts for various IPv6 vulnerabilities. These NSE scripts should be
>>> based on their counterparts from various IPv6 toolkits available out
>> there,
>>> most notably thc-ipv6 and IPv6 toolkit. Implementing some of those tools
>> as
>>> nmap NSE scripts will make them available to a larger audience and enable
>>> to run on wide range of platforms.
>> Hi Adam.  We'd certainly appreciate your help as IPv6 has long been a major
>> Nmap priority.  I added the initial support more than 11 years ago (August
>> 2002) and it has slowly improved to the point where almost all Nmap
>> functionality now supports IPv6.  That includes raw packet port scanning,
>> version detection, our custom machine-learning-based IPv6 OS detection
>> system, and of course the Nmap Scripting Engine.  We're also rather proud
>> of our multicast IPv6 host discovery systems.
>> That being said, there is always room for improvement.  And NSE is usually
>> the best way to implement new techniques.  Nmap's top priority is network
>> discovery, so that functionality is most welcome.  Also, you'll want to
>> make sure you don't duplicate our existing IPv6-related scripts, such as:
>> broadcast-dhcp6-discover
>> http://nmap.org/nsedoc/scripts/broadcast-dhcp6-discover.html
>> * Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses
>> the response, then extracts and prints the address along with any options
>> returned by the server.
>> dns-ip6-arpa-scan http://nmap.org/nsedoc/scripts/dns-ip6-arpa-scan.html
>> * Performs a quick reverse DNS lookup of an IPv6 network using a technique
>> which analyzes DNS server response codes to dramatically reduce the number
>> of queries needed to enumerate large networks.
>> ipv6-node-info http://nmap.org/nsedoc/scripts/ipv6-node-info.html
>> * Obtains hostnames, IPv4 and IPv6 addresses through IPv6 Node Information
>> Queries.
>> ipv6-ra-flood http://nmap.org/nsedoc/scripts/ipv6-ra-flood.html
>> * Generates a flood of Router Advertisements (RA) with random source MAC
>> addresses and IPv6 prefixes. Computers, which have stateless
>> autoconfiguration enabled by default (every major OS),  will start to
>> compute IPv6 suffix and update their routing table to reflect the accepted
>> announcement. This will cause 100% CPU usage on Windows and platforms,
>> preventing to process other application requests.
>> targets-ipv6-multicast-echo
>> http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-echo.html
>> * Sends an ICMPv6 echo request packet to the all-nodes link-local multicast
>> address (<code>ff02::1</code>) to discover responsive hosts on a LAN
>> without needing to individually ping each IPv6 address.
>> targets-ipv6-multicast-invalid-dst
>> http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-invalid-dst.html
>> * Sends an ICMPv6 packet with an invalid extension header to the all-nodes
>> link-local multicast address (<code>ff02::1</code>) to discover (some)
>> available hosts on the LAN. This works because some hosts will respond to
>> this probe with an ICMPv6 Parameter Problem packet.
>> targets-ipv6-multicast-mld
>> http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-mld.html
>> * Attempts to discover available IPv6 hosts on the LAN by sending an MLD
>> (multicast listener discovery) query to the link-local multicast address
>> (ff02::1) and listening for any responses.  The query's maximum response
>> delay set to 0 to provoke hosts to respond immediately rather than waiting
>> for other responses from their multicast group.
>> targets-ipv6-multicast-slaac
>> http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html
>> * Performs IPv6 host discovery by triggering stateless address
>> auto-configuration (SLAAC).
>> One of our main criteria for accepting new scripts is that they meet a
>> concrete need of security/networking admins/analysts.  So instead of just
>> saying "this sends an IPv6 blahblah probe and prints the response", tell us
>> why someone might send such a probe and how the information returned can be
>> useful.
>> Also, as Fernando noted, you don't need to base all your ideas on thc-ipv6
>> and the IPv6 Toolkit.  Those are wonderful tools, but you don't need to
>> limit yourself to things they can already do.
>> Cheers, and best wishes for your project!
>> -Fyodor
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list