July 13, 2022

Scanning IPv6 with v6disc

v6disc is a shell script that was created to quickly and automatically discover IPv6 hosts with the option to ping or run nmap against discovered hosts.

Table of Contents

Introduction

Before we begin

Setting up v6disc

Discovering and scanning IPv6 with v6disc

Conclusion

Other articles in this series

Introduction

v6disc is not a port scanner per se, but a shell script to discover IPv6 hosts in the neighbourhood of your system. It also has support to run nmap to perform actual port scans but more as a wrapper than a native implementation of any tool.

The author of the scripts presents 3 reasons to use v6disc.sh

  1. Scan an IPv6 network 700,000 times faster than nmap
  2. Auto Discovery of IPv6 hosts on the network
  3. Quickly figure out what IPv6 is already on your network

Using parallelism, v6disc.sh scans a /64 subnet in less than 5 seconds (unverified), that is about 18,446,744,073,709,551,616 (2^64) potential addresses on a LAN segment. This speed is limited to the local network.

While playing around with the script, I realised that the best use of this script is to discover neighbouring hosts within your LAN segment and then use the other tools we have covered in this series to run specific port scans. You can also simply use the -N option to perform an nmap -6 -sT scan via v6disc itself.

The current code has a bug with the nmap scanning part as shown below, but we patched the bug locally and were able to continue using nmap for port scanning of a discovered scope.

Patch or bug with the nmap scanning part

Note: As is with any security software, make sure that the scans are conducted on the networks where you are allowed to do so with appropriate permissions.

Before we begin

Like any other IPv6 scanning tool, your system needs to support IPv6 in order to utilise v6disc’s scanning capabilities. To verify that your system and network are properly configured to have IPv6 access, you can run either of the following commands:

  1. ip -6 addr
ip -6 addr

  1. ifconfig | grep inet6

ifconfig | grep inet6

Setting up v6disc

Setting up v6disc is a straightforward process on most Linux installations with the only exception of needing nmap installed if you want to use the port scanning feature. The script requires bash, ip, grep, tr, sed, sort, cut, awk, ping6 and ping, which by default are installed on most Linux distros.

Some limitations with v6disc include:

  1. Only detects hosts on locally attached network
  2. May not discover Windows machines which don't respond to a ping6 to multicast address FF02::1
  3. Although MacOS X is supported (as of version 2.0), FreeBSD is still not supported. Similarly Windows is not supported as well.

The script heavily relies on the output of the ip command and its output format. To get the script running on MacOS (which doesn’t have the ip command), the script will automatically include ip_em.sh, the ip command emulator script.

To install the script, clone the repo and run the script.

git clone https://github.com/cvmiller/v6disc.git
cd v6disc
./v6disc.sh -h

To install the script, clone the repo and run the script.

Discovering and Scanning IPv6 with v6disc

The script can be run by calling it without any arguments. The default action is to discover IPv6 hosts in the neighbourhood directly reachable from the host via a single hop.

./v6disc.sh

./v6disc.sh

To use the nmap port scanning feature we use the -N argument that invokes nmap with the -6 -sT -F options. However, owing to a bug with the script, the nmap scanning doesn’t work. A quick patch however, allows for the nmap scanning to proceed as designed.

./v6disc.sh -N

./v6disc.sh -N

Conclusion

In this article we looked at v6disc, which is a bash script on top of common network utilities in Linux that is used to perform IPv6 host discovery in the neighbourhood. The script can also be used to scan for IPv6 hosts using nmap that has to be installed in order to use the script’s scanning capabilities.

This article is the last of the series on scanning IPv6 addresses. In the previous articles we looked at nmap, fi6s, rustscan and massscan as the other tools that can be used to scan IPv6 networks. 

While the adoption of IPv6 isn’t absolute yet, a multitude of services in the cloud respond to and can be configured to work with IPv6. From a security perspective it is important to be able to discover and scan for running services using IPv6.

Other Articles in this series:

Tools for Scanning IPv6 networks

Scanning IPv6 with Nmap

Scanning IPv6 with fi6s

Scanning IPv6 with RustScan

Scanning IPv6 with Masscan

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

Written by:
Riyaz Walikar

Riyaz Walikar

Chief Hacker

Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP

Read more