Discussion:
NSE scripts for scanning IPv6 sub-nets
Raul Fuentes
2013-12-16 03:55:39 UTC
Permalink
Hello, I was working with Nmap for my master's thesis which consist on
exploring IPv6 sub-nets, the work were based on the ideaas proposed on
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02

As Nmap was key for my thesis I took the choice of made my work with the
Creative Commons license and the nse scripts with the 6.20 nmap licensing.

On general, I developed the next scripts:

1 - Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF
2 - Map 4to6: Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1
3 - SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24
bits)
4 - Woords: A simple dictionary of the low parts (defualt words like C0CA,
BEEF, etc)
5 - A technique proposed by myself for retrieve syubnet info from DHCPv6
stateful servers.

Personally, I like my final results, the scripts are useful as they reduce
the exploration from 64 bits to 24 or less (however there is real risk of
DoS as http://tools.ietf.org/html/rfc6583 explain) . Each set of scripts
can be work on any combo and their arguments give good flexibility (or I
believed it).

The current repository is: https://code.google.com/p/itsis-mx/ and the
thesis (which have the best documented part of the work) is in the same
repository with this url:
https://itsis-mx.googlecode.com/git/Thesis-spanish.pdf (appendix C, p. 91
hast the most practical info for the scripts)

My thesis and the first page of the repository are on Spanish, but the
codes are written on English. If the community find those useful I'll
begin to work the Wikis for translate the most useful part of the thesis.
--
Sincerely, Eng. Raul A. Fuentes Samaniego
John Bond
2013-12-16 12:17:18 UTC
Permalink
Thanks Raul,

Its been in the back of my mind to make
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02 into
a script for, well for too long. Glad someone else got around to it.
Ill check these out tonight
Post by Raul Fuentes
Hello, I was working with Nmap for my master's thesis which consist on
exploring IPv6 sub-nets, the work were based on the ideaas proposed on
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02
As Nmap was key for my thesis I took the choice of made my work with the
Creative Commons license and the nse scripts with the 6.20 nmap licensing.
1 - Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF
2 - Map 4to6: Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1
3 - SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24
bits)
4 - Woords: A simple dictionary of the low parts (defualt words like C0CA,
BEEF, etc)
5 - A technique proposed by myself for retrieve syubnet info from DHCPv6
stateful servers.
Personally, I like my final results, the scripts are useful as they reduce
the exploration from 64 bits to 24 or less (however there is real risk of
DoS as http://tools.ietf.org/html/rfc6583 explain) . Each set of scripts
can be work on any combo and their arguments give good flexibility (or I
believed it).
The current repository is: https://code.google.com/p/itsis-mx/ and the
thesis (which have the best documented part of the work) is in the same
https://itsis-mx.googlecode.com/git/Thesis-spanish.pdf (appendix C, p. 91
hast the most practical info for the scripts)
My thesis and the first page of the repository are on Spanish, but the
codes are written on English. If the community find those useful I'll
begin to work the Wikis for translate the most useful part of the thesis.
--
Sincerely, Eng. Raul A. Fuentes Samaniego
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
David Fifield
2013-12-28 23:49:44 UTC
Permalink
Post by Raul Fuentes
Hello, I was working with Nmap for my master's thesis which consist on
exploring IPv6 sub-nets, the work were based on the ideaas proposed on
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02
As Nmap was key for my thesis I took the choice of made my work with the
Creative Commons license and the nse scripts with the 6.20 nmap licensing.
This is cool! I saw your scripts at
https://code.google.com/p/itsis-mx/source/browse/.
Post by Raul Fuentes
1 - Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF
2 - Map 4to6: Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1
3 - SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24
bits)
4 - Woords: A simple dictionary of the low parts (defualt words like C0CA,
BEEF, etc)
5 - A technique proposed by myself for retrieve syubnet info from DHCPv6
stateful servers.
What do you think about adapting the scripts to match our existing IPv6
target scripts?

http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-echo.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-invalid-dst.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-mld.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html

For number 1, low-bytes scanning, I think that is well-handled now by
Nmap, because it supports CIDR ranges for IPv6 addresses.

David Fifield
Raul Fuentes
2014-01-06 22:17:50 UTC
Permalink
Hello David, sorry for the late answer but the holidays and no Internet
were bad combo,

What do you think about adapting the scripts to match our existing IPv6
Post by David Fifield
target scripts?
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-echo.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-invalid-dst.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-mld.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html
Sure, I can do it, but have some doubts how to do it, exactly what mean
"adapting" here? change names, and the shared vars or something else?
Post by David Fifield
For number 1, low-bytes scanning, I think that is well-handled now by
Nmap, because it supports CIDR ranges for IPv6 addresses.
Yes, with the current version are almost the same, the only difference
(aside the performance) is if you want to use the script "itsismx-dhcpv6.
Post by David Fifield
Post by Raul Fuentes
Hello, I was working with Nmap for my master's thesis which consist on
exploring IPv6 sub-nets, the work were based on the ideaas proposed on
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02
As Nmap was key for my thesis I took the choice of made my work with
the
Post by Raul Fuentes
Creative Commons license and the nse scripts with the 6.20 nmap
licensing.
This is cool! I saw your scripts at
https://code.google.com/p/itsis-mx/source/browse/.
Post by Raul Fuentes
1 - Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF
2 - Map 4to6: Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1
3 - SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24
bits)
4 - Woords: A simple dictionary of the low parts (defualt words like
C0CA,
Post by Raul Fuentes
BEEF, etc)
5 - A technique proposed by myself for retrieve syubnet info from DHCPv6
stateful servers.
What do you think about adapting the scripts to match our existing IPv6
target scripts?
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-echo.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-invalid-dst.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-mld.html
http://nmap.org/nsedoc/scripts/targets-ipv6-multicast-slaac.html
For number 1, low-bytes scanning, I think that is well-handled now by
Nmap, because it supports CIDR ranges for IPv6 addresses.
David Fifield
--
Sincerely, Eng. Raul A. Fuentes Samaniego
Daniel Miller
2014-12-02 14:25:55 UTC
Permalink
Raúl,

I'm sorry it has taken us a year before your scripts made it into Nmap, but
I can happily say that targets-ipv6-recon-map4to6 was added in r33851.

I'm pretty sure I can work through the others fairly well, but I'm curious
about your technique for interrogating DHCPv6 servers to enumerate subnets.
I'm reading through your thesis paper, but my spanish is poor, especially
in regard to technical topics. I would appreciate a short description in
English that answers these questions:

1. Are all DHCPv6 servers vulnerable to this technique, or does it need a
specific configuration to work? I understand that network devices and ACLs
could block the script, but I mean aside from that.

2. Why can we not just get the subnet directly from the DHCP server? Is the
process of forwarding a request very different from a DHCPv4 request, in
which the response would have all necessary information like netmask,
broadcast address, gateway, etc.?

3. Is there a potential for an automated system of determining subnets 1
bit at a time? Example: given the network 2001:db8:c0ca::/64, can we try
2001:db8:c0ca:8000::/65 and 2001:db8:c0ca:0::/65 and get a rejection from
only one of them? This would allow us to treat the server as a binary
oracle and build a tree of valid subnets.

I apologize if some of these questions seem elementary, but my knowledge of
the protocol is not very deep at the moment, and I have too many other
projects to be able to delve into it deeply. I just need to know enough to
categorize the script and perhaps enhance some of the documentation. Thanks!

Dan
Post by Raul Fuentes
Hello, I was working with Nmap for my master's thesis which consist on
exploring IPv6 sub-nets, the work were based on the ideaas proposed on
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning-02
As Nmap was key for my thesis I took the choice of made my work with the
Creative Commons license and the nse scripts with the 6.20 nmap licensing.
1 - Low-bytes - Be able to scan ::1 to X:X:X:X::FFFF:FFFF
2 - Map 4to6: Be able to scan 192.168.1.1 as X:X:X:X::192.168.1.1
3 - SLAAC: Be able to scan EUI-64 address and popular VMs (work until 24
bits)
4 - Woords: A simple dictionary of the low parts (defualt words like C0CA,
BEEF, etc)
5 - A technique proposed by myself for retrieve syubnet info from DHCPv6
stateful servers.
Personally, I like my final results, the scripts are useful as they reduce
the exploration from 64 bits to 24 or less (however there is real risk of
DoS as http://tools.ietf.org/html/rfc6583 explain) . Each set of scripts
can be work on any combo and their arguments give good flexibility (or I
believed it).
The current repository is: https://code.google.com/p/itsis-mx/ and the
thesis (which have the best documented part of the work) is in the same
https://itsis-mx.googlecode.com/git/Thesis-spanish.pdf (appendix C, p. 91
hast the most practical info for the scripts)
My thesis and the first page of the repository are on Spanish, but the
codes are written on English. If the community find those useful I'll
begin to work the Wikis for translate the most useful part of the thesis.
--
Sincerely, Eng. Raul A. Fuentes Samaniego
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Raul Fuentes
2014-12-02 17:48:44 UTC
Permalink
Hello,

Many thanks by taking the time for reviewing the code, I'm more than glad
to answer any question

I'll try to answer to best the question, by the way, from that time to now
I write english documentation for each script in the Google code website,
for the DHCPv6 script this is the link;
https://code.google.com/p/itsis-mx/wiki/DHCPv6
Post by Daniel Miller
1. Are all DHCPv6 servers vulnerable to this technique, or does it need a
specific configuration to work? I understand that network devices and ACLs
could block the script, but I mean aside from that.
When was looking for DHCPv6 servers implementations I only find Microsoft
version and wide-dhcpv6-server plus one more but was deprecated and
suggesting to use Wide version. So, technically, yes all the server are
vulnerable. One reason is that the RFC 3315 did not take this in
consideration (seems that this a very low risk exploit for the RFC)
Post by Daniel Miller
2. Why can we not just get the subnet directly from the DHCP server? Is
the process of forwarding a request very different from a DHCPv4 request,
in which the response would have all necessary information like netmask,
broadcast address, gateway, etc.?
Yes, for a local request is very similar to DHCPv4, but the technique was
made thinking in subtracting the data of the other subnetworks under the
DHCPv6 control, and here lies the problem: The servers only check the
IPv6 addresses of the relay agent origin and then check which prefix domain
match with it and send the answer, that is why I need to spoof the relay
message (the ghost host is just a prerequisite for the relay agent).
Post by Daniel Miller
3. Is there a potential for an automated system of determining subnets 1
bit at a time? Example: given the network 2001:db8:c0ca::/64, can we try
2001:db8:c0ca:8000::/65 and 2001:db8:c0ca:0::/65 and get a rejection from
only one of them? This would allow us to treat the server as a binary
oracle and build a tree of valid subnets.
Short answer: Yes, is possible, and the script already try to do it (to
certain point) but will rely in how the server is configured with a risk
of fake positives (Linux version)

Full answer : The main problem is the fact that the prefix of the spoofed
relay agent is never send to the server, so the server will make a match of
the relay address in his prefix tables and this is where the things
diverges as each implementation could do the things differents, actually
Wide-dhcpv6 had a minor bug here and was sending fake positives where
Microsoft did not (The script check that). In gen

The main difference of the servers are:
Windows servers handles a prefix table, so probably will have the same
limitation than routing tables checking the destiny IP
Wide-Dhcp: Link a prefix to one interface, (If any request go to that
interface the server don't check the relay agent address, just send one
address of the prefix configured for that interface), in spanish erh
english, for multiples subnetworks you need multiples (logical/virtual/)
interfaces (and a wrong configuration will get incorrect data)

In the moment of my Master thesis I didn't had enough time and I worked wit
the Microsoft implementation because was more faithful to the RFC 3315
(This is in the page 54 of the thesis).
--
Ate. Raul FUENTES
Loading...