Scripting Netwox (IPv6 Port Scanning)

As you may found out there are not currently that many tools for testing IPv6, what does one do when you need to perform a IPv6 port scan? I accomplished this through the use of a tool called Network Toolbox (http://www.laurentconstantin.com/en/netw/netwox/) or simply called NETWOX. This tool supports a variety of protocols including IPv6. On a side note use of the TCP reset tool included in NETWOX is always fun, this will sniff the network and send a TCP RST packet for each TCP connection it detects, effectively closing all TCP connections – Great fun watching the network gurus trying to diagnose that problem.

Back to IPv6 port scanning, so you are required to perform a port scan in IPv6. I know nmap has some IPv6 capabilities but I have not had much luck with it. So basically NETWOX lets you send out a specific packet one at a time. By automating the process we can effectively create a port scanner. Basic methodology is I send out a IPv6 TCP packet with SYN flag set and use a protocol sniffer (wireshark) to capture the response. All I need to do is send out one packet for each port I want to scan and then examine the sniffer file.

I am running a version of linux called BackTrack (http://www.remote-exploit.org/backtrack.html) and using a bash script to automate NETWOX. BackTrack has wireshark builtin, so run it during the script execution and filter by responses from the target (ex. ip.src == ipaddress). I have found this method to be reliable way to port scan IPv6 computers. Here is the bash script for performing this:

#!/usr/bin/bash

source=aaaa::20b:dbff:fe1e:5574;
dest=aaaa::1c26:fea7:10f7:68fd
for ((port=0 ; port<=65535 ; port+=1)); do
netwox 146 --ip6-src $source --ip6-dst $dest --tcp-dst $port --tcp-syn --tcp-window 32000
done

To use, save the file as something then make it executable (chmod 777 filename), replace the source and dest addresses with your correct addresses then ./filename to run. (make sure the line that starts with netwox through –tcp-window 32000 are on the same line – formatting problems in blogspot again) and of course make sure you netwox installed.

Reviewing the capture, any TCP packet for a particular port from the target computer means that port is open, cool huh? (again if you don’t understand, let me know so I can explain better)
Now sometimes you recieve an icmp response, what does that mean depends on the response but probably that the port is closed, so whats next - ICMPv6 port scanner:

#!/usr/bin/bash
source=fe80::20b:dbff:fe1e:5574;
dest=fe80::1c26:fea7:10f7:68fd;
for ((type=129 ; type<=130 ; type+=1)); do
for ((code=0 ; code<=255 ; code+=1)); do
netwox 147 --ip6-src $source --ip6-dst $dest --icmp-type $type --icmp-code $code
done
done

It sends out all possible type and code icmpv6 combinations. However netwox will not send out illegal type and code combinations. For true icmpv6 scanning (illegal combinations) I like to use the thc libraries written about in the IPv6 Firewall testing post (Nov)

This is one for UDP scanning, so any response from the target on specific port means that port is open:

#!/usr/bin/bash

source=8888::20b:dbff:fe1e:5574;
dest=aaaa::1c26:fea7:10f7:68fd;
for ((port=0 ; port<=65535 ; port+=1)); do
netwox 145 --ip6-src $source --ip6-dst $dest --udp-dst $port --udp-src $port
done

So you get the idea, a neat little way to perform port scanning in IPv6. Netwox is neat little collection of tools that is easy to use and very useful (especially the make coffee tool) I have also used it to perform IPv4 ICMP scans, its amazing sometimes what happens when you send some weird ICMP Packets to a computers, sometimes it answers back even if it programmed to not answer ICMP packets!