[ipv6hackers] Justification for network recon of IPv6 space

[Marc Heuse]

Hi Joe,

On 25.09.2015 15:32, Joe Klein wrote:
> I was just reading Network Reconnaissance in IPv6 Networks,
> draft-ietf-opsec-ipv6-host-scanning-08,
> and must say it is a good read (Nice job Fernando). But it left me with one
> question, and that is, Why is Network Reconnaissance still valid in an IPv6
> world?
> 
> So it was useful during the 80's and 90's to know what was on your network
> because at that time, router and DHCP logging sucked, and you wanted to
> know who put what on your network.

Today you would dump the ARP/Neighbor table of your switches (instead of
alive scanning your network) and from this compile your inventory and do
further port/vulnerability scanning etc.

> Around 2000, nmap was released and
> everyone one that could take a SANS or hacker classes began using it to
> scan their and other networks. From a defender's standpoint, this just
> added additional noise into the system, increasing logs and making it
> harder to identify attackers.

and is not best practice for this reason, see above.
And additionaly an ineffective choice for IPv6.

> Now we have IPv6, and through the use of private tools available since
> 2004, and public tools since 2006 (van Hauser rocks!),

thanks :)

> we have begun seeing
> the increase of noise. Small at first, but has been increasing in the last
> year.
> 
> So my question to the group, who would have value for this information and
> for what purpose? Can someone clue me in? Comments?

for pentesting assignments the network scanning is an important step,
you want to know what a criminal would know and see about your network.
in a professionel pentest though you make a break after the alive
scanning and check back with the customer to get the complete list as
otherwise your assessment could (very likely) be incomplete.

Greets,
Marc

--
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573