[ipv6hackers] Finding v6 hosts by efficiently mapping ip6.arpa
Peter van Dijk
in a discussion with a friend recently the thought occurred to me that due to how NOERROR and NXDOMAIN in DNS work, finding all existing reverses in an ip6.arpa reverse zone could be done very quickly.
I have written a blog post at http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa that explains the workings. Code at https://github.com/habbie/ip6-arpa-scan/
I was unable to find any existing references to this trick; if you do have any, please let me know!
Kind regards,
Peter van Dijk
_______________________________________________
Ipv6hackers mailing list
Ipv6h...@lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers
Richard Barnes
works where the reverse tree is actually populated. Example below
(disclaimer: I am not in BBN's IT department, I don't know why they
haven't provisioned). Overall, it seems like you're more likely to
find things like mail servers like this (where the reverse is actually
used) than, say, home users.
$ dig +short ns4.bbn.com AAAA
2620:3b:0:107a::d
$ dig b.3.0.0.0.2.6.2.ip6.arpa
; <<>> DiG 9.7.3-P3 <<>> b.3.0.0.0.2.6.2.ip6.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12071
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;b.3.0.0.0.2.6.2.ip6.arpa. IN A
;; AUTHORITY SECTION:
0.0.0.2.6.2.ip6.arpa. 3482 IN SOA z.arin.net. dns-ops.arin.net.
2012032901 10800 3600 691200 3600
;; Query time: 93 msec
;; SERVER: 128.33.0.20#53(128.33.0.20)
;; WHEN: Thu Mar 29 16:26:40 2012
;; MSG SIZE rcvd: 96
Simon Perreault
> in a discussion with a friend recently the thought occurred to me
> that due to how NOERROR and NXDOMAIN in DNS work, finding all
> existing reverses in an ip6.arpa reverse zone could be done very
> quickly.
We show this trick in our IPv6 security course.
We developed fairly efficient proof-of-concept code that is able to
enumerate the whole reverse zone in a very reasonable time.
(Autogenerated subnets need to be skipped.)
> I was unable to find any existing references to this trick; if you do
> have any, please let me know!
We couldn't find any reference either, but we've been told that it's
been known for a long time, even before IPv6 existed. The same trick can
be applied to IPv4, it's just less useful/efficient there.
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
Peter van Dijk
On Mar 29, 2012, at 16:33 , Simon Perreault wrote:
> On 03/28/12 22:23, Peter van Dijk wrote:
>> in a discussion with a friend recently the thought occurred to me
>> that due to how NOERROR and NXDOMAIN in DNS work, finding all
>> existing reverses in an ip6.arpa reverse zone could be done very
>> quickly.
>
> We show this trick in our IPv6 security course.
Oh! Well, good to hear people already know about it. Do you have any slides or such I could see?
> We developed fairly efficient proof-of-concept code that is able to enumerate the whole reverse zone in a very reasonable time. (Autogenerated subnets need to be skipped.)
>
>> I was unable to find any existing references to this trick; if you do
>> have any, please let me know!
>
> We couldn't find any reference either, but we've been told that it's been known for a long time, even before IPv6 existed. The same trick can be applied to IPv4, it's just less useful/efficient there.
I have used the trick in the past on forward zones that had many second-level delegations but no first-level delegations. Worked wonders there too.
Kind regards,
Peter van Dijk
Gert Doering
On Thu, Mar 29, 2012 at 04:33:45PM +0200, Simon Perreault wrote:
> We developed fairly efficient proof-of-concept code that is able to
> enumerate the whole reverse zone in a very reasonable time.
> (Autogenerated subnets need to be skipped.)
What does it do if wildcards are used?
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Marc Heuse
I have never read about this before, so I'd guess you are the first,
congrats!
there seems to be a bug in your tool - I played a bit, it has done >
70kb requests and has not found a reverse entry I know exists - and I
confirmed that your technique work on that DNS server.
I decided to add this functionality to the dnsdict6 tool in my thc-ipv6
package :-)
Greets,
Marc
--
Marc Heuse
www.mh-sec.de
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
Peter van Dijk
On Mar 29, 2012, at 17:24 , Marc Heuse wrote:
> This is very interesting.
>
> I have never read about this before, so I'd guess you are the first,
> congrats!
>
> there seems to be a bug in your tool - I played a bit, it has done >
> 70kb requests and has not found a reverse entry I know exists - and I
> confirmed that your technique work on that DNS server.
Interesting! Is the server you are testing against publicly reachable?
Cheers, Peter
Peter van Dijk
On Mar 29, 2012, at 16:39 , Gert Doering wrote:
> Hi,
>
> On Thu, Mar 29, 2012 at 04:33:45PM +0200, Simon Perreault wrote:
>> We developed fairly efficient proof-of-concept code that is able to
>> enumerate the whole reverse zone in a very reasonable time.
>> (Autogenerated subnets need to be skipped.)
>
> What does it do if wildcards are used?
Presumably it will do 2^(128-prefixlen) queries and the user will abort it. I have not added any intelligence for detecting non-optimal situations.
Cheers, Peter
Peter van Dijk
On Mar 29, 2012, at 17:27 , Peter van Dijk wrote:
> Hi Gert,
>
> On Mar 29, 2012, at 16:39 , Gert Doering wrote:
>
>> Hi,
>>
>> On Thu, Mar 29, 2012 at 04:33:45PM +0200, Simon Perreault wrote:
>>> We developed fairly efficient proof-of-concept code that is able to
>>> enumerate the whole reverse zone in a very reasonable time.
>>> (Autogenerated subnets need to be skipped.)
>>
>> What does it do if wildcards are used?
>
> Presumably it will do 2^(128-prefixlen) queries and the user will abort it. I have not added any intelligence for detecting non-optimal situations.
Question was not for me, I see. Apologies :)
Peter van Dijk
On Mar 29, 2012, at 17:24 , Marc Heuse wrote:
> This is very interesting.
>
> I have never read about this before, so I'd guess you are the first,
> congrats!
>
> there seems to be a bug in your tool - I played a bit, it has done >
> 70kb requests and has not found a reverse entry I know exists - and I
> confirmed that your technique work on that DNS server.
Based on this report and some private communication with Marc, I have added:
- a running tally of prefixes found
- support for aborting with ^C (script will report all prefixes found so far)
- a percentage process indicator (very unreliable due to networks concentrating their hosts in the lower numeric regions of their networks)
All these fixes have been pushed to github.
As far as I can see, Marc did not find a bug - he is just finding that even this technique needs non-trivial running time on networks around size /32.
Cheers, Peter
bman...@vacation.karoshi.com
something very similar to this was suggested to John Heidimann (USC/ISI) about a year ago
when he was looking at how to map IPv6 space.
/bill
Marc Heuse
I am done with the version for thc--ipv6 toolkit. as it will still take
some time until the 2.0 release, and the topic is current, attached is
the code.
highlights:
* detects wildcard DNS servers
* adapts to lossy/slow DNS server
* fast but non-flooding
* alternatively specifying the reverse domain as 2001:db8::/56
or 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
copy the C file into the thc-ipv6-1.x folder where the tools were
already compiled, then:
gcc -O2 -o dnsrevenum6 dnsrevenum6.c thc-ipv6-lib.o -lcrypto -lssl -lpcap
/prg/thc-ipv6 # time ./dnsrevenum6 81.169.163.39 2a01:238:42a8:e700::/48
Starting DNS reverse enumeration of 2a01:238:42a8:e700:: on server
81.169.163.39
Found: h2006391.stratoserver.net. is 2a01:238:42a8:7900:8960:d3b3:29ce:f73b
Found: spontanplan.com. is 2a01:238:42a8:a500:ea3b:e256:264d:b539
Found: mh-sec.de. is 2a01:238:42a8:e700:454:cae7:ad64:4621
Found: tumelum.de. is 2a01:238:42a8:f000:60da:a625:9507:84da
Found 4 entries.
real 0m8.493s
user 0m0.000s
sys 0m0.172s
Greets,
Marc
harbor235
Great work, that changes the game.
Mike
On Wed, Mar 28, 2012 at 4:23 PM, Peter van Dijk <pe...@7bits.nl> wrote:
> Hi folks,
>
> in a discussion with a friend recently the thought occurred to me that due
> to how NOERROR and NXDOMAIN in DNS work, finding all existing reverses in
> an ip6.arpa reverse zone could be done very quickly.
>
> I have written a blog post at
> http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpathat explains the workings. Code at
Ryan Rawdon
>
> something very similar to this was suggested to John Heidimann (USC/ISI) about a year ago
> when he was looking at how to map IPv6 space.
>
> /bill
>
> On Wed, Mar 28, 2012 at 10:23:22PM +0200, Peter van Dijk wrote:
>> Hi folks,
>>
>> in a discussion with a friend recently the thought occurred to me that due to how NOERROR and NXDOMAIN in DNS work, finding all existing reverses in an ip6.arpa reverse zone could be done very quickly.
>>
>> I have written a blog post at http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa that explains the workings. Code at https://github.com/habbie/ip6-arpa-scan/
>>
>> I was unable to find any existing references to this trick; if you do have any, please let me know!
https://github.com/lp0/ip6walk
I was playing with this last spring/summer, looks like it is roughly a year old.
Fernando Gont
On 03/30/2012 01:08 PM, bman...@vacation.karoshi.com wrote:
>
> something very similar to this was suggested to John Heidimann (USC/ISI) about a year ago
> when he was looking at how to map IPv6 space.
Do you have any reference I could cite for this?
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492