Monday, August 2, 2010

Scanning IPv6 Enabled Hosts

Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds


carnal0wnage ~: nmap -6 -sV ::ffff:66.148.86.4

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 21:00 UTC
Nmap scan report for ::ffff:66.148.86.4
Host is up (0.024s latency).
Not shown: 795 closed ports, 203 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.9)
8080/tcp open http-proxy Squid webproxy 2.6.STABLE16

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds


and metasploit supports ipv6

msf auxiliary(http_version) > run

[*] 2002:53e9:a52a:0000:0000:0832:3316:5042 is running nginx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed