Provided by: ipv6toolkit_1.5.1-1_amd64 
NAME
scan6 - An IPv6 host scanner
SYNOPSIS
scan6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR[/LEN | -L] [-r] [-S LINK_SRC_ADDR | -R] [-p
PROBE_TYPE] [-P PAYLOAD_SIZE] [-o SRC_PORT] [-a DST_PORT] [-X TCP_FLAGS] [-P ADDRESS_TYPE] [-e] [-x
RETRANS] [-o TIMEOUT] [-V VM_TYPE] [-b] [-B IPV4_ENCODING] [-k IEEE_OUI] [-K VENDOR] [-m PREFIXES_FILE]
[-w IIDS_FILE] [-W IID] [-T] [-Q PREFIX/LEN] [-I INC_SIZE] [-c CONFIG_FILE] [-r] [-l] [-z SECONDS] [-R]
[-v] [-h]
DESCRIPTION
scan6 is an IPv6 address scanning tool that implements a number of advanced IPv6 address scanning
techniques. It is part of the SI6 Networks' IPv6 Toolkit v1.3.4: a security assessment suite for the IPv6
protocols.
HOST SCANNING TECHNIQUES
scan6 employs a number of techniques to discover active IPv6 nodes. The following subsections discuss the
different techniques employed for each type of IPv6 scan.
Local scans
For local scans, scan6 operates (roughly) as follows:
+ The tool learns the local prefixes used for auto-configuration,
and generates one address for each local prefix (in addition to
a link-local address)
+ An ICMPv6 Echo Request message destined to the all-nodes on-link
multicast address (ff02::1) is sent with each of the addresses
"configured" in the previous step. Probe packets are sent with
different Source Addresses, such that they elicit responses from
different addresses (as a result of the default IPv6 Source
Address selection policy). Hence. all (or most) addresses of
each node can be discovered.
+ The same procedure of the previous bullet is performed, but
this time with ICMPv6 packets that contain an unrecognized
option of type 10xxxxxx, such that ICMPv6 Parameter Problem
error messages are elicited. This allows the tool to discover
e.g. Windows nodes, which otherwise do not respond to multicasted
ICMPv6 Echo Request messages.
+ Each time a new "alive" address is discovered, the corresponding
Interface-ID is combined with all the local prefixes, and the
resulting addresses are probed (with unicasted packets). This
can help to discover all the SLAAC-derived and the "private
addresses", since some responses might contain e.g. Modified
EUI-64 Format Identifiers, which are likely used with all the
available prefixes.
+ Finally, the tool removes any duplicate addresses, such that each
unique address is informed to the user only once.
The aforementioned scheme can fail to discover some addresses for some implementation. For example, MacOS
X employs IPv6 addresses embedding IEEE-identifiers when responding to packets destined to a link-local
multicast address (and hence the temporary addresses could not be learned).
Remote scans
scan6 employs a number of bran-new techniques for performing address scans of remote networks. Namely, it
tries to mitigate a number of patterns in IPv6 addresses, such that the (theoretical) search space of
2**64 addresses is dramatically reduced. scan6 can leverage the following address patterns:
+ SLAAC addresses of specific vendors: Addresses that embedd the MAC
address of the corresponding network interface card.
+ virtual host addresses: Most virtualization technologies select
their MAC addresses from specific IEEE OUIs (e.g., VirtualBox
employs the OUI 00:50:56)
+ "low-byte" addresses: in which only the lowest order (or the two
lowest order) word of the IID contains a small integer (with the
rest of the words being set to zero)
+ IPv4-based addresses: in which the IID encodes the IPv4-address
of the network interface (as in 2001:db8::192.168.1.1 or
2001:db8::192:168:1:1)
A thorough discussion of these address patterns can be found in:
<http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning>.
HOST TRACKING
scan6 can be employed to track IPv6 nodes across networks. Since IPv6 StateLess Address Auto-
Configuration (SLAAC) typically results in globally-unique Interface Identifiers (IIDs) that are constant
across networks, such identifiers can be leveraged to track nodes across a range of "known" networks, by
periodically probing the IPv6 address composed of the IPv6 prefix of the target network, and the (known)
Interface ID of the target node.
For host-tracking purposes, the target networks can be specified with the '-d' and/or '-m' options, while
the target Interface IDs can be specified with the '-w' and/or the '-W' options (see the documentation of
each option for further information).
Since for tracking purposes one will continually track the user across networks, the '-l' option will
typically be set. Additionally, the '-z' option may be used to specify the number of seconds to sleep
between iterations (i.e. each round of probes send to the specified targets). The value specified by the
'-z' option represents a trade-off between time-liness of the tracking and bandwidth-consumption.
IPv6 host-tracking is discussed in detail in Appendix A of <http://tools.ietf.org/html/draft-ietf-6man-
stable-privacy-addresses>.
OPTIONS
scan6 takes its parameters as command-line options. Each of the options can be specified with a short
name (one character preceded with the hyphen character, as e.g. "-i") or with a long name (a string
preceded with two hyphen characters, as e.g. "--interface").
-i interface, --interface interface
This option specifies the network interface to be used by the scan6 tool, and is mandatory when
performing local address scans (-L option).
-s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 Source Address to be used for the Source Address of the probe
packets. If a prefix is specified, the Source Address is randomly selected from that prefix.
If this option is left unspecified, the addresses currently configured for the specified network
interface card are used.
-d DST_ADDRESS, --dst-address DST_ADDRESS
This option specifies the target address prefix/range of the address scan. An IPv6 prefix can be
specified in the form 2001:db8::/64, or as 2001:db8:a-b:1-10 (where specific address ranges are
specified for the two low order 16-bit words). This option must be specified for remote address
scanning attacks.
-S SRC_LINK_ADDR, --link-src-address SRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets (currently, only Ethernet
is supported). If left unspecified, the real link-layer address of the interface is used.
Note: Some systems may discard packets when the link-layer address is forged. That is, even when
the relevant function calls (and hence the scan6 tool itself) may return "success", packets may be
discarded and not actually sent on the specified network link. In such scenarios, the real
Ethernet address should be used. This type of behaviour has been found in some Linux systems.
-p PROBE_TYPE, --probe-type PROBE_TYPE
This option specifies the probe packets to be used for address scanning. For local-network address
scans, possible arguments are: "echo" (for ICMPv6 Echo Request), "unrec" (for IPv6 packets with
unrecognized IPv6 options of type 10xxxxxx), and "all" (for using both ICMPv6 Echo Requests probes
and unrecognized options of type 10xxxxxx). If left unspecified, this option defaults to "all".
For remote-network address scans, possible arguments are: "echo" (for ICMPv6 Echo Request),
"unrec" (for IPv6 packets with unrecognized IPv6 options of type 10xxxxxx), and "tcp" (for using
TC segments). For remote-network scans, this option defaults to "echo" (if left unspecified).
Note: For local-network address scans, using unrecognized IPv6 options of type 10xxxxxx enables
the discovery of Windows Vista and Windows 7 systems, which otherwise do not respond to ICMPv6
Echo Requests sent to multicast addresses.
-P PAYLOAD_SIZE, --payload-size PAYLOAD_SIZE
This option specifies the payload size of the probe packet. It defaults to 0 for TCP (i.e., empty
TCP segments), and to 56 for ICMPv6.
-o SRC_PORT, --src-port SRC_PORT
This option specifies the TCP/UDP Source Port. If left unspecified, the Source Port is randomized
from the range 1024-65535.
-a DST_PORT, --dst-port DST_PORT
This option specifies the TCP/UDP Destination Port. If left unspecified, the Destination Port is
randomized from the range 1-1024.
-X TCP_FLAGS, --tcp-flags TCP_FLAGS
This option is used to set specific the TCP flags. The flags are specified as "F" (FIN), "S"
(SYN), "R" (RST), "P" (PSH), "A" (ACK), "U" (URG), "X" (no flags).
If this option is left unspecified, the ACK bit is set on all probe packets.
-P ADDR_TYPE, --print-type ADDR_TYPE
This option specifies the address types to be printed/informed by the scan6 tool. The possible
arguments are: "local" (link-local addresses), "global" (global addresses), and "all" (print both
link-local and global-addresses). If left unspecified, this option defaults to "all" (print both
link-local and global-addresses).
-q, --print-unique
This option specifies that for each address scope (local and/or global) only one IPv6 address per
Ethernet address should be printed. This option can be useful when interest is in identifying
unique systems (e.g. for counting the number of systems connected to the local network), rather
than the number of configured addresses on the local network.
Note: In the case of systems that implement "Privacy Extensions for SLAAC" (IETF RFC 4941), more
than one global unicast address will typically be found by the scan6 tool.
-e, --print-link-addr
This option specifies that the link-layer addresses should be printed along with the IPv6
addresses, with the format "IPV6ADDRESS @ LINKADDRESS".
-t, --print-timestamp
This option specifies that a timestamp should be printed after the IPv6 address of each alive
node.
-x NO_RETRANS, --retrans NO_RETRANS
This option specifies the number of times probe packets should be retransmitted when no response
is received. Note: If left unspecified, the number of retransmission defaults to 0 (i.e., no
retransmissions).
Note: this option might be useful when packets must traverse unreliable and/or congested network
links.
-o TIMEOUT, --timeout TIMEOUT
This option specifies the amount of time that the tool should wait for responses to probe packets.
If left unspecified, the timeout value defaults to 1 second.
Note: this option might be useful when scanning hosts on long-delay links.
-L, --local
This option specifies that host scanning should be performed on the local subnet. The type of
probe packets to be used can be specified with the "-p" option.
-r, --rand-src-addr
This option specifies that the IPv6 Source Address should be randomized.
-R, --rand-link-src-addr
This option specifies that the Ethernet Source Address should be randomized.
-V VM_TYPE, --tgt-virtual-machines VM_TYPE
This option specifies that the target is virtual machines. Possible options are: 'vbox'
(VirtualBox), 'vmware' (vmware), and 'all' (both VirtualBox and vmware). When this option is
specified, scan6 can narrow dow the search space by targeting only those IEEE OUIs employed by the
aforementioned virtualization software. Note: For vmware, the search space can be further reduced
if the '--ipv4-host' option is specified.
-b, --tgt-low-byte
This option specifies that the target is IPv6 nodes employing "low-byte" addresses. Low byte
addresses are generated by concatenating the IPv6 prefix specified by the "-d" option with an
Interface I-D of the form "0:0:0-100:0-1500".
-B IPV4_ENCODING, --tgt-ipv4 IPV4_ENCODING
This option specifies that the target is IPv6 addresses that embed an IPv4 address. Possible
encondings are "ipv4-32" (where the IPv4 address is embedded in the low-order 32 bits of the IPv6
address), "ipv4-64" (where the IPv4 address is embedded in the low-order 64 bits of the IPv6
address), and "ipv4-all" (which is equivalent to setting both the "ipv4-32" and "ipv4-64"
encodings). When this option is set, a prefix should be specified with the '--ipv4-host' option,
such that the search space is reduced.
Note: When an IPv4 address is encoded in 64 bits, each byte of the IPv4 address is firstly
converted to a number that has the same representation in hexadecimal (e.g., 100 would be
converted to 256, since the hexadecimal representation of 256 is 0x100) before that byte is
embedded in a 16-bit word. For example, the IPv4 address 192.168.0.1 would result, when combined
with the prefix 2001:db8::/32 in the IPv6 address 2001:db8::192:168:0:1 (note that while each byte
of the original IPv4 address has the same representation within the IPv6 address, each value now
stands for an hexadecimal number).
-g, --tgt-port
This option specifies that the target is IPv6 addresses that embed service ports (such as
2001:db8::25, 2001:db8::80, etc.). When this option is set addresses containing these ports will
be probed:
21 (ftp)
22 (ssh)
23 (telnet)
25 (smtp)
49 (tacacs)
53 (dns)
80 (www)
110 (pop3)
123 (ntp)
179 (bgp)
220 (imap3)
389 (ldap)
443 (https)
547 (dhcpv6-server)
993 (imaps)
995 (pop3s)
1194 (openvpn)
3306 (mysql)
5060 (sip)
5061 (sip-tls)
5432 (postgresql)
6446 (mysql-proxy)
8080 (http-alt)
Note: The target IPv6 addresses are generated by concatenating
the service port to an IPv6 prefix/range specified by means of
the "-d" option. For each service port, four target address
ranges will be generated:
* PREFIX::0-5:HEX_PORT,
* PREFIX::HEX_PORT:0-5,
* PREFIX::0-5:DEC_PORT, and,
* PREFIX::DEC_PORT:0-5
That is, IPv6 address ranges will be generated with both the
service port in hexadecimal notation, and the service port in
decimal notation, since both types of addresses have been found
in the wild.
-k IEEE_OUI, --tgt-ieee-oui IEEE_OUI
This option is used to specify an IEEE OUI, such that the target of the scan is SLAAC addresses
that employ the aforementioned IEEE OUI.
-K VENDOR, --tgt-vendor VENDOR
This option allows the user to specify a vendor name. scan6 will look-up all the correspoinding
IEEE OUIs for such vendor, and then scan for SLAAC addresses that employ the aforementioned IEEE
OUIs.
-m PREFIXES_FILE, --prefixes-file PREFIXES_FILE
This option specifies the name of a file containing a list of IPv6 addresses and/or IPv6 prefixes,
one per line, in the same format as that used with the '-d' option. Note: The file can contain
comments if they are preceded with the numeral sign ('#'), as in:
IPv6_address/len # comment
# comment
IPv6_address
-w IIDS_FILE, --tgt-iids-file IIDS_FILE
This option specifies the name of a file containing one IPv6 address per line. The Interface ID of
each of those IPv6 addresses will be employed, together with the network prefix specified with the
'-d' option, to construct the IPv6 addresses to be probed. Since auto-configured addresses
typically employ Interface IDs that are constant across networks, this option can leverage known
IIDs to track such nodes across networks. Please see
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses> for further details. Note:
The file can contain comments if they are preceded with the numeral sign ('#'), as in:
IPv6_address # comment
-W IID, --tgt-iid IID
This option specifies an IPv6 Interface Identifier (IID), with the same syntax as that of an IPv6
address (only the lowest-order 64 bits of the address will be employed). The specified Interface
ID will be employed, together with the any network prefixes specified with the '-d' option (or
with the '-m' option), to construct the IPv6 addresses to be probed. Since auto-configured
addresses typically employ Interface IDs that are constant across networks, this option can
leverage known IIDs to track such nodes across networks. Please see
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses> for further details. Note:
The file can contain comments if they are preceded with the numeral sign ('#'), as in:
IPv6_address # comment
-T, --sort-ouis
This option, when used in conjunction with the "--tgt-vendor" option, tells the scan6 tool to
"sort" the IEEE OUIs corresponding to a vendor. Namely, OUIs are employed in descending order,
with the largest OUI used last (together with the smallest OUI). The rationale for this option is
that when a vendor has been assigned multiple OUIs, chances are that the smaller (and "oldest")
OUI was used for devices that have already been put "out of service", while the largest (and
"newest") OUI has probably not yet been used for deployed devices.
-Q PREFIX/LEN, --ipv4-host PREFIX/LEN
This option allows the user to specify an IPv4 prefix. The aforementioned prefix is employed with
the "--tgt-virtual-machines" and/or "--tgc-ipv4-embeded" options to reduce the search space.
-I INC_SIZE, --inc-size INC_SIZE
This option is used to specify the increment size for the lowest-order 16-bit word of an IPv6
address when an IPv6 address range is to be scanned. This option is particularly useful if the
target network is assumed to contain a large number of nodes with consecutive addresses (maybe
because the target network employs DHCPv6, or because the target network contains a large number
of devices from the same manufacturer, thus employing consecutive MAC/SLAAC addresses). The
increment size should be that of the assumed size of the "cluster" of nodes.
-r RATE, --rate-limit RATE
This option specifies the rate limit to use when performing a remote address scan. "RATE" should
be specified as "xbps" or "xpps" (with "x" being an unsigned integer), for rate-limits in bits per
second or packets per second, respectively.
In general, the address scan should be rate-limited to about 80% (eighty percent) of the upstram
bandwidth, such that probe packets are not lost as a result of network congestion.
-l, --loop
This option specifies that the tool should periodically loop through the specified targets. It is
mostly useful to e.g. when a node disconnects from the network, or for host-tracking purposes.
-z SECONDS, --sleep SECONDS
This option specifies the amount of time (in seconds) that the tool should sleep in-between
iterations over the specified targets. It is only meaningful when the '-l' option is set.
-c CONFIG_FILE, --config-file CONFIG_FILE
This option is used to specify an alternative configuration file. If left unspecified, the tool
will employ '/etc/ipv6toolkit.conf'.
-v, --verbose
This option selects the "verbosity" of the tool. If this option is left unspecified, only minimum
information is printed. If this option is set once, additional information is printed (e.g., the
tool indicates which addresses are "link-local" and which addresses are "global"). If this option
is set twice, detailed information will be printed in the case the tool finds any problems when
performing host scanning.
-h, --help
Print help information for the scan6 tool.
EXAMPLES
The following sections illustrate typical use cases of the scan6 tool.
Example #1
# scan6 -i eth0 -L -e -v
Perform host scanning on the local network ("-L" option) using interface "eth0" ("-i" option). Use both
ICMPv6 echo requests and unrecognized IPv6 options of type 10xxxxxx (default). Print link-link layer
addresses along with IPv6 addresses ("-e" option). Be verbose ("-v" option).
Example #2
# scan6 -d 2001:db8::/64 --tgt-virtual-machines all --ipv4-host 10.10.10.0/24
Scan for virtual machines (both VirtualBox and vmware) in the prefix 2001:db8::/64. The additional
information about the IPv4 prefix employed by the host system is leveraged to reduce the search space.
Example #3
# scan6 -d 2001:db8::/64 --tgt-ipv4-embedded ipv4-32 --ipv4-host 10.10.10.0/24
Scan for IPv6 addresses of the network 2001:db8::/64 that embed the IPv4 prefix 10.10.10.0/24 (with the
32-bit encoding).
Example #4
# scan6 -d 2001:db8:0-500:0-1000
Scan for IPv6 addresses of the network 2001:db8::/64, varying the two lowest order 16-bit words of the
addresses in the range 0-500 and 0-1000, respectively.
Example #5
# scan6 -d fc00::/64 --tgt-vendor 'Dell Inc' -p tcp
Scan for network devices manufactured by 'Dell Inc' in the target prefix fc00::/64. The tool will employ
TCP segments as the probe packets (rather than the default ICMPv6 echo requests).
Example #6
# scan6 -i eth0 -L -S 66:55:44:33:22:11 -p unrec -P global -v
Use the "eth0" interface ("-i" option) to perform host-scanning on the local network ("-L" option). The
Ethernet Source Address is set to "66:55:44:33:22:11" ("-S" option). The probe packets will be IPv6
packets with unrecognized options of type 10xxxxxx ("-p" option). The tool will only print IPv6 global
addresses ("-P" option). The tool will be verbose.
Example #7
# scan6 -d 2001:db8::/64 -w KNOWN_IIDS
Perform an address scan of a set of known hosts listed in the file KNOWN_IIDS, at remote network
2001:db8::/64. The target addresses are obtaining by concatenating the network prefix 2001:db8::/64 with
the interface IDs of each of the addresses fund in the file KNOWN_IIDS.
Example #8
# scan6 -i eth0 -L -P global --print-unique -e
Use the "eth0" interface ("-i" option) to perform host-scanning on the local network ("-L" option). Print
only global unicast addresses ("-P" option), and at most one IPv6 address per Ethernet address
("--print-unique" option). Ethernet addresses will be printed along with the corresponiding IPv6 address
("-e" option).
Example #9
# scan6 -m knownprefixes.txt -w knowniids.txt -l -z 60 -t -v
Build the list of targets from the IPv6 prefixes contained in the file 'knownprefixes.txt' and the
Interface IDs (IIDs) contained in the file 'knowniids.txt'. Poll the targets periodically ("-l" option),
and sleep 60 seconds after each iteration ("-z" option). Print a timestamp along the IPv6 address of each
alive node ("-t" option). Be verbose ("-v" option).
SEE ALSO
ipv6toolkit.conf(5)
draft-ietf-opsec-ipv6-host-scanning (available at:
<http://tools.ietf.org/html/draft-ietf-opsec-ipv6-host-scanning>) for a discussion of the IPv6
host-tracking technique implemented by scan6 , and a proposal on how to mitigate such attacks.
draft-ietf-6man-stable-privacy-addresses (available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses>) for a discussion of the scanning
techniques implemented by scan6 , and a discussion of a number of aspects that should be taken into
account when performing address scanning of remote networks.
RFC 6583 (available at <http://www.rfc-editor.org/rfc/rfc6583.txt>) for a discussion of the potential
Denial of Service (DoS) when scanning remote networks.
AUTHOR
The scan6 tool and the corresponding manual pages were produced by Fernando Gont <fgont@si6networks.com>
for SI6 Networks <http://www.si6networks.com>.
COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free
Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with
no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available
at <http://www.gnu.org/licenses/fdl.html>.
SCAN6(1)