search

minvws / nl-kat-coordination

OpenKAT scans networks, finds vulnerabilities and creates accessible reports. It integrates the most widely used network tools and scanning software into a modular framework, accesses external databases such as shodan, and combines the information from all these sources into clear reports. It also includes lots of cat hair.
https://openkat.nl
European Union Public License 1.2
126 stars 58 forks source link

Scanning IPv6(-ranges) #1342

Open zcrt opened 1 year ago

zcrt commented 1 year ago

Is your feature request related to a problem? Please describe. Following https://github.com/minvws/nl-kat-coordination/pull/1340#discussion_r1253018263 and https://github.com/minvws/nl-kat-coordination/issues/1281 some investigation is needed in proper scanning of IPv6(-ranges).

Describe the solution you'd like

  1. Making sure all relevant Docker containers support IPv6 scanning.
  2. Making sure the installation/infra/setup as a whole supports IPv6 connectivity.
  3. Making sure all relevant boefjes (and normalizers/bits) are configured correctly for IPv6(-ranges) (Nmap, masscan, ...).

Additional context

dekkers commented 1 year ago

There is no way to scan IPv6 ranges. A consumer normally gets /48 from their provider. That is 1208925819614629174706176 IP addresses...

underdarknl commented 1 year ago

Action: Remove ipv6 -range as input from range scanners. (we can keep it for other boefjes which only do a single call (shodan, whois, rdns etc)

synnack commented 10 months ago

Acktually, there are multiple ways to scan IPv6, though not directly. You can scan based on reverse DNS PTR existance. In some cases it is possible to observe certain patterns in IPv6 host allocation, for example, IPv4 has 192.0.8.1 and 2001:db8::192:0:8:1, or maybe just ::8:1, or hex representation of part of the IPv4 address, or maybe just sequentially allocated. Another common pattern is EUI-48 addresses (those with ff:fe in them), where one can assume a common vendor for the network cards/hypervisor and only have 2^24 left to scan.

Some of these strategies are implemented by ipv666 and scan6.

Please note that it's easy to exhaust the neighbor table size/lookup performance of routers with such scans and limit the amount of lookups required per second to something reasonable like 1000 hosts per second or so.

In any case you'd have to 'seed' the start of the scan with all the data that you have gathered (for instance through forward DNS, certificate transparency records, participation in NTP pools, etc).