Provided by: ipv6toolkit_2.0+ds.1-1_amd64 bug

NAME

       scan6 - An IPv6 host scanner

SYNOPSIS

       scan6  [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR[/LEN | -L] [-r] [-S LINK_SRC_ADDR |
       -R] [-p PROBE_TYPE] [-P PAYLOAD_SIZE] [-o  SRC_PORT]  [-a  DST_PORT]  [-X  TCP_FLAGS]  [-P
       ADDRESS_TYPE]  [-e]  [-x  RETRANS]  [-o  TIMEOUT] [-V VM_TYPE] [-b] [-B IPV4_ENCODING] [-k
       IEEE_OUI] [-K VENDOR] [-m PREFIXES_FILE] [-w IIDS_FILE] [-W IID] [-T] [-Q PREFIX/LEN]  [-I
       INC_SIZE] [-c [-r LIMIT] [-l] [-z SECONDS] [-R] [-v] [-h]

DESCRIPTION

       scan6  is  an IPv6 address scanning tool that implements a number of advanced IPv6 address
       scanning techniques. It is part of the SI6 Networks' IPv6 Toolkit: a  security  assessment
       suite for the IPv6 protocols.

       HOST SCANNING TECHNIQUES

       scan6  employs  a  number  of  techniques  to  discover  active  IPv6 nodes. The following
       subsections discuss the different techniques employed for each type of IPv6 scan.

       Local scans

       For local scans, scan6 operates (roughly) as follows:

           + The tool learns the local prefixes used for auto-configuration,
             and generates one address for each local prefix (in addition to
             a link-local address)

           + An ICMPv6 Echo Request message destined to the all-nodes on-link
             multicast address (ff02::1) is sent with each of the addresses
             "configured" in the previous step. Probe packets are sent with
             different Source Addresses, such that they elicit responses from
             different addresses (as a result of the default IPv6 Source
             Address selection policy). Hence. all (or most) addresses of
             each node can be discovered.

           + The same procedure of the previous bullet is performed, but
             this time with ICMPv6 packets that contain an unrecognized
             option of type 10xxxxxx, such that ICMPv6 Parameter Problem
             error messages are elicited. This allows the tool to discover
             e.g. Windows nodes, which otherwise do not respond to multicasted
             ICMPv6 Echo Request messages.

           + Each time a new "alive" address is discovered, the corresponding
             Interface-ID is combined with all the local prefixes, and the
             resulting addresses are probed (with unicasted packets). This
             can help to discover all the SLAAC-derived and the "private
             addresses", since some responses might contain e.g. Modified
             EUI-64 Format Identifiers, which are likely used with all the
             available prefixes.

           + Finally, the tool removes any duplicate addresses, such that each
             unique address is informed to the user only once.

       The aforementioned scheme can fail to discover some addresses for some implementation. For
       example,  Mac  OS  X  employs IPv6 addresses embedding IEEE-identifiers when responding to
       packets destined to a link-local multicast address  (and  hence  the  temporary  addresses
       could not be learned).

       Remote scans

       scan6  employs  a  number  of  bran-new  techniques for performing address scans of remote
       networks. Namely, it tries to mitigate a number of patterns in IPv6 addresses,  such  that
       the  (theoretical)  search  space  of  2**64  addresses is dramatically reduced. scan6 can
       leverage the following address patterns:

           + SLAAC addresses of specific vendors: Addresses that embedd the MAC
             address of the corresponding network interface card.

           + virtual host addresses: Most virtualization technologies select
             their MAC addresses from specific IEEE OUIs (e.g., VirtualBox
             employs the OUI 00:50:56)

           + "low-byte" addresses: in which only the lowest order (or the two
             lowest order) word of the IID contains a small integer (with the
             rest of the words being set to zero)

           + "port-based" addresses: in which one of the two low order 16 bit
             16-bit words of the IID encodes de service port number of the
             main service being hosted on the targer node.

           + IPv4-based addresses: in which the IID encodes the IPv4-address
             of the network interface (as in 2001:db8::192.168.1.1 or
             2001:db8::192:168:1:1)

       A   thorough   discussion   of   these    address    patterns    can    be    found    in:
       <http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning>.

       HOST TRACKING

       scan6  can  be  employed to track IPv6 nodes across networks. Since IPv6 StateLess Address
       Auto-Configuration (SLAAC) typically  results  in  globally-unique  Interface  Identifiers
       (IIDs) that are constant across networks, such identifiers can be leveraged to track nodes
       across a range of "known" networks, by periodically probing the IPv6 address  composed  of
       the IPv6 prefix of the target network, and the (known) Interface ID of the target node.

       For host-tracking purposes, the target networks can be specified with the '-d' and/or '-m'
       options, while the target Interface IDs can be specified with the  '-w'  and/or  the  '-W'
       options (see the documentation of each option for further information).

       Since  for tracking purposes one will continually track the user across networks, the '-l'
       option will typically be set. Additionally, the '-z' option may be  used  to  specify  the
       number  of  seconds  to  sleep  between  iterations (i.e. each round of probes send to the
       specified targets). The value specified by the '-z' option represents a trade-off  between
       time-liness of the tracking and bandwidth-consumption.

       IPv6         host-tracking         is         discussed         in        detail        in
       <http://tools.ietf.org/html/draft-ietf-6man-ipv6-address-generation-privacy>.

OPTIONS

       scan6 takes its parameters as command-line options. Each of the options can  be  specified
       with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
       a long name (a string preceded with two hyphen characters, as e.g. "--interface").

       -i interface, --interface interface

              This option specifies the network interface to be used by the scan6  tool,  and  is
              mandatory when performing local address scans (-L option).

       -s SRC_ADDR, --src-address SRC_ADDR

              This  option specifies the IPv6 Source Address to be used for the Source Address of
              the probe packets. If a  prefix  is  specified,  the  Source  Address  is  randomly
              selected from that prefix.

              If  this  option  is  left  unspecified, the addresses currently configured for the
              specified network interface card are used.

       -d DST_ADDRESS, --dst-address DST_ADDRESS

              This option specifies the target address prefix/range of the address scan. An  IPv6
              prefix  can  be specified in the form 2001:db8::/64, or as 2001:db8:a-b:1-10 (where
              specific address ranges are specified for the two low  order  16-bit  words).  This
              option must be specified for remote address scanning attacks.

       -S SRC_LINK_ADDR, --link-src-address SRC_LINK_ADDR

              This   option  specifies  the  link-layer  Source  Address  of  the  probe  packets
              (currently, only Ethernet is supported). If left unspecified, the  real  link-layer
              address of the interface is used.

              Note:  Some systems may discard packets when the link-layer address is forged. That
              is, even when the relevant function calls (and hence the  scan6  tool  itself)  may
              return  "success",  packets may be discarded and not actually sent on the specified
              network link. In such scenarios, the real Ethernet address  should  be  used.  This
              type of behaviour has been found in some Linux systems.

       -p PROBE_TYPE, --probe-type PROBE_TYPE

              This option specifies the probe packets to be used for address scanning. For local-
              network address scans, possible arguments are: "echo" (for  ICMPv6  Echo  Request),
              "unrec"  (for  IPv6  packets  with unrecognized IPv6 options of type 10xxxxxx), and
              "all" (for using both ICMPv6 Echo Requests probes and unrecognized options of  type
              10xxxxxx). If left unspecified, this option defaults to "all".

              For remote-network scans, this option defaults to "echo" (if left unspecified).

       -P PAYLOAD_SIZE, --payload-size PAYLOAD_SIZE

              This  option  specifies  the payload size of the probe packet. It defaults to 0 for
              TCP (i.e., empty TCP segments), and to 56 for ICMPv6.

       -o SRC_PORT, --src-port SRC_PORT

              This option specifies the TCP/UDP Source Port. If left unspecified, the Source Port
              is randomized from the range 1024-65535.

       -a DST_PORT, --dst-port DST_PORT

              This  option  specifies  the  TCP/UDP  Destination  Port.  If left unspecified, the
              Destination Port is randomized from the range 1-1024.

       -X TCP_FLAGS, --tcp-flags TCP_FLAGS

              This option is used to set specific the TCP flags. The flags are specified  as  "F"
              (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK), "U" (URG), "X" (no flags).

              If this option is left unspecified, the ACK bit is set on all probe packets.

       -P ADDR_TYPE, --print-type ADDR_TYPE

              This  option  specifies the address types to be printed/informed by the scan6 tool.
              The possible  arguments  are:  "local"  (link-local  addresses),  "global"  (global
              addresses),  and  "all"  (print  both  link-local  and  global-addresses).  If left
              unspecified, this option defaults to  "all"  (print  both  link-local  and  global-
              addresses).

       -q, --print-unique

              This  option  specifies  that for each address scope (local and/or global) only one
              IPv6 address per Ethernet address should be printed. This option can be useful when
              interest  is in identifying unique systems (e.g. for counting the number of systems
              connected to the local network), rather than the number of configured addresses  on
              the local network.

              Note:  In  the  case of systems that implement "Privacy Extensions for SLAAC" (IETF
              RFC 4941), more than one global unicast address will  typically  be  found  by  the
              scan6 tool.

       -e, --print-link-addr

              This  option  specifies  that the link-layer addresses should be printed along with
              the IPv6 addresses, with the format "IPV6ADDRESS @ LINKADDRESS".

       -t, --print-timestamp

              This option specifies that a timestamp should be printed after the IPv6 address  of
              each alive node.

       -x NO_RETRANS, --retrans NO_RETRANS

              This  option  specifies  the  number of times probe packets should be retransmitted
              when  no  response  is  received.  Note:  If  left  unspecified,  the   number   of
              retransmission defaults to 0 (i.e., no retransmissions).

              Note:  this  option  might  be  useful when packets must traverse unreliable and/or
              congested network links.

       -o TIMEOUT, --timeout TIMEOUT

              This option specifies the amount of time that the tool should wait for responses to
              probe packets. If left unspecified, the timeout value defaults to 1 second.

              Note: this option might be useful when scanning hosts on long-delay links.

       -L, --local

              This  option  specifies that host scanning should be performed on the local subnet.
              The type of probe packets to be used can be specified with the "-p" option.

       -R, --rand-link-src-addr

              This option specifies that the Ethernet Source Address should be randomized.

       -V VM_TYPE, --tgt-virtual-machines VM_TYPE

              This option specifies that the target is virtual machines.  Possible  options  are:
              'vbox'  (VirtualBox),  'vmware'  (vmware),  and 'all' (both VirtualBox and vmware).
              When this option is specified, scan6 can narrow dow the search space  by  targeting
              only  those IEEE OUIs employed by the aforementioned virtualization software. Note:
              For vmware, the search space can be further reduced if the '--ipv4-host' option  is
              specified.

       -b, --tgt-low-byte

              This option specifies that the target is IPv6 nodes employing "low-byte" addresses.
              Low byte addresses are generated by concatenating the IPv6 prefix specified by  the
              "-d" option with an Interface I-D of the form "0:0:0-100:0-1500".

       -B IPV4_ENCODING, --tgt-ipv4 IPV4_ENCODING

              This option specifies that the target is IPv6 addresses that embed an IPv4 address.
              Possible encondings are "ipv4-32" (where the IPv4 address is embedded in  the  low-
              order  32  bits of the IPv6 address), "ipv4-64" (where the IPv4 address is embedded
              in the low-order 64 bits of the IPv6 address), and "ipv4-all" (which is  equivalent
              to  setting both the "ipv4-32" and "ipv4-64" encodings). When this option is set, a
              prefix should be specified with the '--ipv4-host'  option,  such  that  the  search
              space is reduced.

              Note:  When an IPv4 address is encoded in 64 bits, each byte of the IPv4 address is
              firstly converted to a number that  has  the  same  representation  in  hexadecimal
              (e.g.,  100  would be converted to 256, since the hexadecimal representation of 256
              is 0x100) before that byte is embedded in a 16-bit  word.  For  example,  the  IPv4
              address  192.168.0.1  would  result, when combined with the prefix 2001:db8::/32 in
              the IPv6 address 2001:db8::192:168:0:1 (note that while each byte of  the  original
              IPv4  address  has  the same representation within the IPv6 address, each value now
              stands for an hexadecimal number).

       -g, --tgt-port

              This option specifies that the target is IPv6 addresses that  embed  service  ports
              (such  as  2001:db8::25,  2001:db8::80,  etc.).  When  this option is set addresses
              containing these ports will be probed:

                    21 (ftp)
                    22 (ssh)
                    23 (telnet)
                    25 (smtp)
                    49 (tacacs)
                    53 (dns)
                    80 (www)
                   110 (pop3)
                   123 (ntp)
                   179 (bgp)
                   220 (imap3)
                   389 (ldap)
                   443 (https)
                   547 (dhcpv6-server)
                   993 (imaps)
                   995 (pop3s)
                  1194 (openvpn)
                  3306 (mysql)
                  5060 (sip)
                  5061 (sip-tls)
                  5432 (postgresql)
                  6446 (mysql-proxy)
                  8080 (http-alt)

             Note: The target IPv6 addresses are generated by concatenating
             the service port to an IPv6 prefix/range specified by means of
             the "-d" option. For each service port, four target address
             ranges will be generated:

                * PREFIX::0-5:HEX_PORT,
                * PREFIX::HEX_PORT:0-5,
                * PREFIX::0-5:DEC_PORT, and,
                * PREFIX::DEC_PORT:0-5

             That is, IPv6 address ranges will be generated with both the
             service port in hexadecimal notation, and the service port in
             decimal notation, since both types of addresses have been found
             in the wild.

       -k IEEE_OUI, --tgt-ieee-oui IEEE_OUI

              This option is used to specify an IEEE OUI, such that the target  of  the  scan  is
              SLAAC addresses that employ the aforementioned IEEE OUI.

       -K VENDOR, --tgt-vendor VENDOR

              This  option  allows  the user to specify a vendor name. scan6 will look-up all the
              correspoinding IEEE OUIs for such vendor, and then scan for  SLAAC  addresses  that
              employ the aforementioned IEEE OUIs.

       -m PREFIXES_FILE, --prefixes-file PREFIXES_FILE

              This option specifies the name of a file containing a list of IPv6 addresses and/or
              IPv6 prefixes, one per line, in the same format as that used with the '-d'  option.
              Note:  The  file  can  contain  comments if they are preceded with the numeral sign
              ('#'), as in:

                      IPv6_address/len      # comment
                      # comment
                      IPv6_address

       -w IIDS_FILE, --tgt-iids-file IIDS_FILE

              This option specifies the name of a file containing one IPv6 address per line.  The
              Interface  ID  of  each of those IPv6 addresses will be employed, together with the
              network prefix specified with the '-d' option, to construct the IPv6  addresses  to
              be  probed. Since auto-configured addresses typically employ Interface IDs that are
              constant across networks, this option can leverage known IIDs to track  such  nodes
              across                    networks.                    Please                   see
              <http://tools.ietf.org/html/draft-ietf-6man-ipv6-address-generation-privacy>    for
              further  details. Note: The file can contain comments if they are preceded with the
              numeral sign ('#'), as in:

                      IPv6_address      # comment

       -W IID, --tgt-iid IID

              This option specifies an IPv6 Interface Identifier (IID), with the same  syntax  as
              that  of  an  IPv6  address  (only  the lowest-order 64 bits of the address will be
              employed). The specified Interface ID will  be  employed,  together  with  the  any
              network  prefixes  specified  with  the  '-d'  option (or with the '-m' option), to
              construct  the  IPv6  addresses  to  be  probed.  Since  auto-configured  addresses
              typically  employ  Interface IDs that are constant across networks, this option can
              leverage  known  IIDs  to  track   such   nodes   across   networks.   Please   see
              <http://tools.ietf.org/html/draft-ietf-6man-ipv6-address-generation-privacy>    for
              further details. Note: The file can contain comments if they are preceded with  the
              numeral sign ('#'), as in:

                      IPv6_address      # comment

       -T, --sort-ouis

              This  option,  when  used  in conjunction with the "--tgt-vendor" option, tells the
              scan6 tool to "sort" the IEEE OUIs corresponding to  a  vendor.  Namely,  OUIs  are
              employed  in  descending  order,  with the largest OUI used last (together with the
              smallest OUI). The rationale for this  option  is  that  when  a  vendor  has  been
              assigned  multiple  OUIs,  chances are that the smaller (and "oldest") OUI was used
              for devices that have already been put "out of service",  while  the  largest  (and
              "newest") OUI has probably not yet been used for deployed devices.

       -Q PREFIX/LEN, --ipv4-host PREFIX/LEN

              This option allows the user to specify an IPv4 prefix. The aforementioned prefix is
              employed with the "--tgt-virtual-machines" and/or "--tgc-ipv4-embeded"  options  to
              reduce the search space.

       -I INC_SIZE, --inc-size INC_SIZE

              This  option is used to specify the increment size for the lowest-order 16-bit word
              of an IPv6 address when an IPv6 address range is to  be  scanned.  This  option  is
              particularly  useful  if the target network is assumed to contain a large number of
              nodes with consecutive addresses (maybe because the target network employs  DHCPv6,
              or  because  the  target  network  contains a large number of devices from the same
              manufacturer, thus employing consecutive MAC/SLAAC addresses). The  increment  size
              should be that of the assumed size of the "cluster" of nodes.

       -r RATE, --rate-limit RATE

              This  option specifies the rate limit to use when performing a remote address scan.
              "RATE" should be specified  as  "Xbps"  or  "Xpps"  (with  "X"  being  an  unsigned
              integer), for rate-limits in bits per second or packets per second, respectively.

              In  general,  the address scan should be rate-limited to about 80% (eighty percent)
              of the upstram bandwidth, such that probe packets are  not  lost  as  a  result  of
              network congestion.

              Note:  If  left  unspecified,  the  scan6 will rate-limit the probe packets to 1000
              packets per second (pps).

       -l, --loop

              This option specifies that the tool should periodically loop through the  specified
              targets.  It  is mostly useful to e.g. when a node disconnects from the network, or
              for host-tracking purposes.

       -z SECONDS, --sleep SECONDS

              This option specifies the amount of time (in seconds) that the  tool  should  sleep
              in-between  iterations  over  the specified targets. It is only meaningful when the
              '-l' option is set.

       -c CONFIG_FILE, --config-file CONFIG_FILE

              This option  is  used  to  specify  an  alternative  configuration  file.  If  left
              unspecified, the tool will employ '/etc/ipv6toolkit.conf'.

       -v, --verbose

              This  option  selects  the  "verbosity"  of  the  tool.  If  this  option  is  left
              unspecified, only minimum information is printed.  If  this  option  is  set  once,
              additional  information  is  printed  (e.g., the tool indicates which addresses are
              "link-local" and which addresses are  "global").  If  this  option  is  set  twice,
              detailed  information  will be printed in the case the tool finds any problems when
              performing host scanning.

       -h, --help

              Print help information for the scan6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the scan6 tool.

       Example #1

       # scan6 -i eth0 -L -e -v

       Perform host scanning on the local network ("-L"  option)  using  interface  "eth0"  ("-i"
       option).  Use  both  ICMPv6  echo  requests and unrecognized IPv6 options of type 10xxxxxx
       (default). Print link-link layer addresses along with IPv6  addresses  ("-e"  option).  Be
       verbose ("-v" option).

       Example #2

       # scan6 -d 2001:db8::/64 --tgt-virtual-machines all --ipv4-host 10.10.10.0/24

       Scan  for  virtual  machines (both VirtualBox and vmware) in the prefix 2001:db8::/64. The
       additional information about the IPv4 prefix employed by the host system is  leveraged  to
       reduce the search space.

       Example #3

       # scan6 -d 2001:db8::/64 --tgt-ipv4-embedded ipv4-32 --ipv4-host 10.10.10.0/24

       Scan  for  IPv6  addresses  of  the  network  2001:db8::/64  that  embed  the  IPv4 prefix
       10.10.10.0/24 (with the 32-bit encoding).

       Example #4

       # scan6 -d 2001:db8:0-500:0-1000

       Scan for IPv6 addresses of the network 2001:db8::/64, varying the two lowest order  16-bit
       words of the addresses in the range 0-500 and 0-1000, respectively.

       Example #5

       # scan6 -d fc00::/64 --tgt-vendor 'Dell Inc' -p tcp

       Scan  for  network  devices manufactured by 'Dell Inc' in the target prefix fc00::/64. The
       tool will employ TCP segments as the probe packets (rather than the  default  ICMPv6  echo
       requests).

       Example #6

       # scan6 -i eth0 -L -S 66:55:44:33:22:11 -p unrec -P global -v

       Use the "eth0" interface ("-i" option) to perform host-scanning on the local network ("-L"
       option). The Ethernet Source Address is set  to  "66:55:44:33:22:11"  ("-S"  option).  The
       probe  packets  will  be  IPv6  packets  with  unrecognized options of type 10xxxxxx ("-p"
       option). The tool will only print IPv6 global addresses ("-P" option). The  tool  will  be
       verbose.

       Example #7

       # scan6 -d 2001:db8::/64 -w KNOWN_IIDS

       Perform  an  address scan of a set of known hosts listed in the file KNOWN_IIDS, at remote
       network 2001:db8::/64. The target addresses are obtaining  by  concatenating  the  network
       prefix  2001:db8::/64  with  the  interface  IDs of each of the addresses fund in the file
       KNOWN_IIDS.

       Example #8

       # scan6 -i eth0 -L -P global --print-unique -e

       Use the "eth0" interface ("-i" option) to perform host-scanning on the local network ("-L"
       option).  Print  only global unicast addresses ("-P" option), and at most one IPv6 address
       per Ethernet address ("--print-unique" option). Ethernet addresses will be  printed  along
       with the corresponiding IPv6 address ("-e" option).

       Example #9

       # scan6 -m knownprefixes.txt -w knowniids.txt -l -z 60 -t -v

       Build the list of targets from the IPv6 prefixes contained in the file 'knownprefixes.txt'
       and the Interface IDs (IIDs) contained in  the  file  'knowniids.txt'.  Poll  the  targets
       periodically ("-l" option), and sleep 60 seconds after each iteration ("-z" option). Print
       a timestamp along the IPv6 address of each alive node  ("-t"  option).  Be  verbose  ("-v"
       option).

SEE ALSO

       ipv6toolkit.conf(5)

       draft-ietf-opsec-ipv6-host-scanning                     (available                     at:
       <http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning>) for a discussion of  the
       IPv6 host-tracking technique implemented by scan6 , and a proposal on how to mitigate such
       attacks.

       RFC 7217 (available at: <http://www.rfc-editor.org/rfc/rfc7217.txt>) for a  discussion  of
       the potential Denial of Service (DoS) when scanning remote networks.  > ) for a discussion
       of the scanning techniques implemented by scan6 , and a discussion of a number of  aspects
       that should be taken into account when performing address scanning of remote networks.

       RFC  6583  (available  at <http://www.rfc-editor.org/rfc/rfc6583.txt>) for a discussion of
       the potential Denial of Service (DoS) when scanning remote networks.

AUTHOR

       The scan6 tool  and  the  corresponding  manual  pages  were  produced  by  Fernando  Gont
       <fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.

COPYRIGHT

       Copyright (c) 2011-2013 Fernando Gont.

       Permission  is  granted to copy, distribute and/or modify this document under the terms of
       the GNU Free Documentation License, Version 1.3 or any later version published by the Free
       Software  Foundation;  with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts.  A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.

                                                                                         SCAN6(1)