packet m0nkey http://blog.willurbanski.com Will Urbanski's Blog Tue, 03 Apr 2012 01:25:37 +0000 en hourly 1 http://wordpress.org/?v=3.3.2 Mapping IPv6 hosts using inaddr.arpa http://blog.willurbanski.com/archives/15 http://blog.willurbanski.com/archives/15#comments Tue, 03 Apr 2012 01:25:37 +0000 wuadmin http://blog.willurbanski.com/?p=15 There’s been an interesting thread on the ipv6hackers mailing list lately discussing how to use inaddr.arpa to map an IPv6 subnet. The code, available on github, will query a nameserver to find live hosts on a given subnet. Support for the ip6.arpa mapping technique has already been added to the thc-ipv6 suite!

]]> http://blog.willurbanski.com/archives/15/feed 0 Finding live hosts on an IPv6 network http://blog.willurbanski.com/archives/8 http://blog.willurbanski.com/archives/8#comments Mon, 26 Mar 2012 23:59:41 +0000 wuadmin http://blog.willurbanski.com/?p=8 Today I was re-watching Marc Heuse’s 2012 CCC presentation on recent insecurities in IPv6 (if you know anything about IPv6 skip the first 30 slides). In case you don’t already know, blanket port scanning for host identification in Ipv6 is essentially useless. Due to the address space it’s infeasible that you will find someone if they are trying to hide. That is the key though, the massive, unconventional hex-based IPv6 addressing scheme is in some senses more of a hassle than helpful when you consider the numerous layer X technologies it is replacing (ARP, IPv4, NAT). Because of unconventional (and hard to remember) address scheme network administrators seem to have taken a simplification approach to the problem. Heuse outlines how to scan for hosts if you are looking for IPv6 addresses, the strategies are outlined here:

1) Check ::1-X, where X is a larger number {1000,…}

To make networks more organized network admins have been caught numbering their hosts sequentially. While these numbers are essentially worthless without reverse DNS they make administration easy, and scanning easier!

2) Check ::X:p, ::p, where X is a large number {1,2,3,..}, and p is a common port {80,443,22,23,445,3389, etc}

Again, same reasoning as above. Network admins want to make Ipv6 maintainable and using a simple networking scheme makes network and firewall management more convenient. One major IPv6 deployment is guilty of using this strategy.

3) Check ::X:Y, where X and Y are in the set of english, leet-speak words that can be spelled in hexadecimal format.

Dead beef, b00b, babe, all abound in this namespace.

 

 

]]> http://blog.willurbanski.com/archives/8/feed 0