[ipv6hackers] Justification for network recon of IPv6 space
mh at mh-sec.de
Sat Sep 26 13:43:41 CEST 2015
On 25.09.2015 15:32, Joe Klein wrote:
> I was just reading Network Reconnaissance in IPv6 Networks,
> and must say it is a good read (Nice job Fernando). But it left me with one
> question, and that is, Why is Network Reconnaissance still valid in an IPv6
> So it was useful during the 80's and 90's to know what was on your network
> because at that time, router and DHCP logging sucked, and you wanted to
> know who put what on your network.
Today you would dump the ARP/Neighbor table of your switches (instead of
alive scanning your network) and from this compile your inventory and do
further port/vulnerability scanning etc.
> Around 2000, nmap was released and
> everyone one that could take a SANS or hacker classes began using it to
> scan their and other networks. From a defender's standpoint, this just
> added additional noise into the system, increasing logs and making it
> harder to identify attackers.
and is not best practice for this reason, see above.
And additionaly an ineffective choice for IPv6.
> Now we have IPv6, and through the use of private tools available since
> 2004, and public tools since 2006 (van Hauser rocks!),
> we have begun seeing
> the increase of noise. Small at first, but has been increasing in the last
> So my question to the group, who would have value for this information and
> for what purpose? Can someone clue me in? Comments?
for pentesting assignments the network scanning is an important step,
you want to know what a criminal would know and see about your network.
in a professionel pentest though you make a break after the alive
scanning and check back with the customer to get the complete list as
otherwise your assessment could (very likely) be incomplete.
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
More information about the Ipv6hackers