{"id":92,"date":"2017-07-09T10:35:23","date_gmt":"2017-07-09T08:35:23","guid":{"rendered":"http:\/\/itsec.andreas-klingler.de\/?p=92"},"modified":"2023-12-20T19:14:30","modified_gmt":"2023-12-20T18:14:30","slug":"ipv6-global-scanning","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=92","title":{"rendered":"IPv6 enumeration"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Linux<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Detect IPv6&nbsp;hosts<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">There is no arp table like in Ethernet\/IPv4. But we can sim\u00adu\u00adlate is as fol\u00adlows to <strong>list all neight\u00adbours \/ direct\u00adly reach\u00adable hosts<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ping6 -c 5 ff02::1%eth0 &gt;\/dev\/null\nip -6 neigh<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Bonus: <code>ip neigh<\/code> shows the IPv4 address res\u00ado\u00adlu\u00adtion table like the arp com\u00admand&nbsp;does.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Detect IPv6 addresses for known IPv4 addresses<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario: You know a IPv4 address from a tar\u00adget. You don\u2019t know the IPv6 address which you want to&nbsp;scan.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Send a mul\u00adti\u00adcast ping to all inter\u00adface-local and link-local address\u00ades:<br><code>ping6 -c 5 ff02::1%eth0<\/code><\/li><li>Check the neigh\u00adbours cache:<br><code>ip neigh<\/code><\/li><li>Check which <span class=\"caps\">MAC<\/span> address the device has with the IPv4 address you&nbsp;know.<\/li><li>Search through the out\u00adput where the same <span class=\"caps\">MAC<\/span> address appears again.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># ping6 -c 2 ff02::1%eth0<br>...<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">root@slingshot:\/tmp\/jwp0ppy# ip neigh\n192.168.178.21 dev eth0 lladdr 38:f9:d3:04:9b:32 REACHABLE\n192.168.178.1 dev eth0 lladdr dc:39:6f:41:c8:52 STALE\n<strong>192.168.178.67 dev eth0 lladdr 00:0c:29:57:25:7c STALE<\/strong>\nfe80::811:8e3e:4b7:8bdf dev eth0 lladdr 38:f9:d3:04:9b:32 REACHABLE\n2001:a61:5e2:b201:45ae:677a:96cc:aff9 dev eth0 lladdr 00:0c:29:57:25:7c STALE\nfe80::6680:2d5d:4265:c42d dev eth0 lladdr 74:da:38:00:6a:a0 REACHABLE\n<strong>fe80::3a9e:a01b:2eb5:bcda dev eth0 lladdr 00:0c:29:57:25:7c REACHABLE<\/strong>\nfe80::20c:29ff:fe07:5872 dev eth0 lladdr 8c:85:90:5e:08:33 REACHABLE\nfe80::c12:759d:2d68:5c73 dev eth0 lladdr 70:14:a6:63:40:d6 REACHABLE<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now we know that the device with IPv4 <code>192.168.178.67<\/code> is also reach\u00adable via IPv6 <code>fe80::3a9e:a01b:2eb5:bcda<\/code>. <strong>Note<\/strong> that this is a link-local address, which means that you have to pro\u00advide the inter\u00adface name at each usage. E.g. <code>nmap -sT fe80::3a9e:a01b:2eb5:bcda%eth0<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><a href=\"https:\/\/tools.kali.org\/information-gathering\/thc-ipv6\">thc-ipv6<\/a><\/strong>: Ton of tools for IPv6 networking.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lin\u00adux Detect IPv6&nbsp;hosts There is no arp table like in Ethernet\/IPv4. But we can sim\u00adu\u00adlate is as fol\u00adlows to list all neight\u00adbours \/ direct\u00adly reach\u00adable hosts: ping6 \u2011c 5 ff02::1%eth0 &gt;\/dev\/null ip \u20116 neigh Bonus: ip neigh shows the IPv4 address res\u00ado\u00adlu\u00adtion table like the arp com\u00admand&nbsp;does. Detect IPv6 address\u00ades for known IPv4 address\u00ades Scenario:&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470],"tags":[7,26,18],"class_list":["post-92","post","type-post","status-publish","format-standard","hentry","category-active-enum","tag-information-gathering","tag-ipv6","tag-sniffing"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/92","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92"}],"version-history":[{"count":4,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/92\/revisions"}],"predecessor-version":[{"id":3117,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/92\/revisions\/3117"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}