Add: host discovery for large ipv6 networks for scannerctl rust implementation

To test this, try with the following command

sudo target/debug/scannerctl alivetest --hostdiscovery -t 5858:0:0:0:0:0:1:0/124 -v

Ensure you added the IP and network to your local host and ensure there are other alive hosts in the same network. You can try with subnets as well

Author: jjnicola

rust/Cargo.lock

@@ -134,6 +134,7 @@ tar = "0"
 bzip2 = "0"
 zstd = "0"
 rustls-pki-types = { version = "1.14.0", features = ["std"] }
+cidr = "0.3.2"
 
 [workspace]
 members = ["crates/smoketest", "crates/nasl-function-proc-macro"]

rust/Cargo.toml

@@ -4,7 +4,9 @@
 
 use crate::alive_test::AliveTestError;
 use crate::alive_test::arp::forge_arp_request;
-use crate::alive_test::icmp::{forge_icmp_v4, forge_icmp_v6, forge_neighbor_solicit};
+use crate::alive_test::icmp::{
+    forge_icmp_v4, forge_icmp_v6, forge_icmp_v6_for_host_discovery, forge_neighbor_solicit,
+};
 use crate::nasl::raw_ip_utils::{
     raw_ip_utils::{FIX_IPV6_HEADER_LENGTH, send_v4_packet, send_v6_packet},
     tcp_ping::{FILTER_PORT, forge_tcp_ping_ipv4, forge_tcp_ping_ipv6},
@@ -20,12 +22,14 @@ use pnet::packet::ip::IpNextHeaderProtocols;
 use pnet::packet::ipv6::Ipv6Packet;
 use pnet::packet::tcp::TcpPacket;
 use std::collections::HashSet;
+use std::str::FromStr;
 use std::time::Duration;
 use tokio::sync::mpsc::{self, Receiver, Sender};
 use tokio::time::sleep;
 
 use std::net::IpAddr;
 
+use cidr::Ipv6Cidr;
 use pcap::{Active, Capture, Inactive, PacketCodec, PacketStream};
 use pnet::packet::{
     icmp::{IcmpTypes, *},
@@ -45,7 +49,7 @@ const BITS_PER_BYTE: usize = 8;
 
 struct AliveTestCtlStop;
 
-#[derive(Clone)]
+#[derive(Debug, Clone)]
 struct AliveHostInfo {
     ip: String,
     detectihttp_method: AliveTestMethods,
@@ -142,13 +146,13 @@ fn process_ipv6_packet(packet: &[u8]) -> Result<Option<AliveHostInfo>, AliveTest
             .ok_or_else(|| {
                 AliveTestError::CreateIcmpPacketFromWrongBufferSize(packet[..].len() as i64)
             })?;
-
         let make_alive_host_ctl = |pkt: Ipv6Packet<'_>, method| {
             Ok(Some(AliveHostInfo {
                 ip: pkt.get_source().to_string(),
                 detectihttp_method: method,
             }))
         };
+
         match icmp_pkt.get_icmpv6_type() {
             Icmpv6Types::EchoReply => return make_alive_host_ctl(pkt, AliveTestMethods::Icmp),
             Icmpv6Types::NeighborAdvert => return make_alive_host_ctl(pkt, AliveTestMethods::Arp),
@@ -217,7 +221,7 @@ async fn capture_task(
         tokio::select! {
             packet = stream.next() => { // packet is Option<Result<Box>>
                 if let Some(Ok(data)) = packet && let Ok(Some(alive_host)) = process_packet(&data) {
-                        tx_msg.send(alive_host).await.unwrap()
+                    tx_msg.send(alive_host).await.unwrap()
                 }
             },
             ctl = rx_ctl.recv() => {
@@ -231,13 +235,51 @@ async fn capture_task(
     Ok(())
 }
 
+fn get_host_discovery_ipv6_net(
+    methods: &Vec<AliveTestMethods>,
+    target: &HashSet<String>,
+) -> Option<Result<Ipv6Cidr, AliveTestError>> {
+    if methods.contains(&AliveTestMethods::HostDiscoveryIpv6) {
+        if let Some(t) = target.iter().next()
+            && target.len() == 1
+        {
+            return Some(
+                Ipv6Cidr::from_str(t)
+                    .map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string())),
+            );
+        } else {
+            tracing::debug!("Only one IPv6 network address is allowed for host discovery");
+            return Some(Err(AliveTestError::InvalidDestinationAddr(
+                target.iter().next().unwrap().to_string(),
+            )));
+        }
+    }
+    None
+}
+
 async fn send_task(
     methods: Vec<AliveTestMethods>,
     target: HashSet<String>,
     timeout: u64,
     tx_ctl: Sender<AliveTestCtlStop>,
 ) -> Result<(), AliveTestError> {
     let mut count = 0;
+    match get_host_discovery_ipv6_net(&methods, &target) {
+        Some(Ok(dst)) => {
+            let icmp = forge_icmp_v6_for_host_discovery(dst)?;
+            send_v6_packet(icmp)?;
+            tracing::info!("Started host discovery against {}", dst);
+            sleep(Duration::from_millis(timeout)).await;
+            // Send only returns error if the receiver is closed, which only happens when it panics.
+            tx_ctl.send(AliveTestCtlStop).await.unwrap();
+            return Ok(());
+        }
+        Some(Err(e)) => {
+            tx_ctl.send(AliveTestCtlStop).await.unwrap();
+            return Err(e);
+        }
+        None => {}
+    };
 
     let target: HashSet<IpAddr> = target
         .into_iter()
@@ -358,14 +400,18 @@ impl Scanner {
         let capture_handle = tokio::spawn(capture_task(capture_inactive, rx_ctl, tx_msg));
 
         let timeout = self.timeout.unwrap_or((DEFAULT_TIMEOUT * 1000) as u64);
-        let methods = self.methods.clone();
-        let send_handle = tokio::spawn(send_task(methods, trgt, timeout, tx_ctl));
+        let methods_c = self.methods.clone();
+        let send_handle = tokio::spawn(send_task(methods_c, trgt, timeout, tx_ctl));
 
         while let Some(alivehost) = rx_msg.recv().await {
             if self.target.contains(&alivehost.ip) && !alive.contains(&alivehost.ip) {
                 alive.insert(alivehost.ip.clone());
                 println!("{} via {:?}", &alivehost.ip, &alivehost.detectihttp_method);
-            }
+            } else if let Some(Ok(dst)) = get_host_discovery_ipv6_net(&self.methods, &self.target) 
+                && dst.contains(&alivehost.ip.parse::<std::net::Ipv6Addr>().unwrap()) {
+                    alive.insert(alivehost.ip.clone());
+                    println!("{} via {:?}", &alivehost.ip, &alivehost.detectihttp_method);
+                }
         }
 
         send_handle.await.unwrap().unwrap();

rust/src/alive_test/alive_test.rs

@@ -12,6 +12,7 @@ use crate::nasl::raw_ip_utils::raw_ip_utils::{
     DEFAULT_TTL, FIX_IPV6_HEADER_LENGTH, HEADER_LENGTH, IP_LENGTH, IP_PPRTO_VERSION_IPV4,
     IPPROTO_IPV6,
 };
+use cidr::Ipv6Cidr;
 use pnet::packet::icmpv6::Icmpv6Code;
 use pnet::packet::icmpv6::Icmpv6Type;
 use pnet::packet::icmpv6::ndp::MutableNeighborSolicitPacket;
@@ -84,6 +85,7 @@ fn forge_icmp_v6_packet() -> Vec<u8> {
 
 fn forge_ipv6_packet_for_icmp(
     icmp_buf: &mut [u8],
+    src: Ipv6Addr,
     dst: Ipv6Addr,
 ) -> Result<Ipv6Packet<'static>, AliveTestError> {
     let icmp_buf_len = icmp_buf.len();
@@ -94,10 +96,9 @@ fn forge_ipv6_packet_for_icmp(
 
     pkt.set_next_header(IpNextHeaderProtocols::Icmpv6);
     pkt.set_hop_limit(DEFAULT_TTL);
-    pkt.set_source(
-        get_source_ipv6(dst).map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?,
-    );
+
     pkt.set_destination(dst);
+    pkt.set_source(src);
     pkt.set_version(IPPROTO_IPV6);
     let icmp_buf_len = icmp_buf.len() as i64;
     let mut icmp_pkt = packet::icmpv6::MutableIcmpv6Packet::new(icmp_buf).ok_or(
@@ -118,6 +119,25 @@ fn forge_ipv6_packet_for_icmp(
     Ok(Ipv6Packet::owned(ip_buf).unwrap())
 }
 
+pub fn forge_icmp_v6_for_host_discovery(
+    dst: Ipv6Cidr,
+) -> Result<Ipv6Packet<'static>, AliveTestError> {
+    let mut icmp_buf = forge_icmp_v6_packet();
+    let dst = dst.first().next().unwrap().address(); // first is the network address. We need the host.
+    let src = get_source_ipv6(dst.into())
+        .map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?;
+    let dst = "ff02::1".parse::<Ipv6Addr>().unwrap();
+    forge_ipv6_packet_for_icmp(&mut icmp_buf, src, dst)
+}
+
+pub fn forge_icmp_v6(dst: Ipv6Addr) -> Result<Ipv6Packet<'static>, AliveTestError> {
+    let mut icmp_buf = forge_icmp_v6_packet();
+    let src =
+        get_source_ipv6(dst).map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?;
+
+    forge_ipv6_packet_for_icmp(&mut icmp_buf, src, dst)
+}
+
 pub fn forge_neighbor_solicit(dst_ip: Ipv6Addr) -> Result<Ipv6Packet<'static>, AliveTestError> {
     let mut icmp_buf = vec![0; MutableNeighborSolicitPacket::minimum_packet_size()];
     let mut icmp_pkt = MutableNeighborSolicitPacket::new(&mut icmp_buf).unwrap();
@@ -127,10 +147,7 @@ pub fn forge_neighbor_solicit(dst_ip: Ipv6Addr) -> Result<Ipv6Packet<'static>, A
     icmp_pkt.set_icmpv6_code(Icmpv6Code::new(0u8));
     icmp_pkt.set_target_addr(dst_ip);
 
-    forge_ipv6_packet_for_icmp(&mut icmp_pkt.packet().to_vec(), dst_ip)
-}
-
-pub fn forge_icmp_v6(dst: Ipv6Addr) -> Result<Ipv6Packet<'static>, AliveTestError> {
-    let mut icmp_buf = forge_icmp_v6_packet();
-    forge_ipv6_packet_for_icmp(&mut icmp_buf, dst)
+    let src = get_source_ipv6(dst_ip)
+        .map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?;
+    forge_ipv6_packet_for_icmp(&mut icmp_pkt.packet().to_vec(), src, dst_ip)
 }

rust/src/alive_test/icmp.rs

@@ -38,6 +38,9 @@ pub struct AliveTestArgs {
     /// ARP ping. Supports both IPv4 and IPv6.
     #[clap(long, action=ArgAction::SetTrue)]
     arp: bool,
+    /// Host discovery for large IPv6 network. Only one address network at time is possible and not to be combined with other alive methods.
+    #[clap(long, action=ArgAction::SetTrue)]
+    hostdiscovery: bool,
 }
 
 pub async fn run(args: AliveTestArgs) -> Result<(), CliError> {
@@ -62,6 +65,11 @@ pub async fn run(args: AliveTestArgs) -> Result<(), CliError> {
         methods.push(AliveTestMethods::Arp);
     }
 
+    if args.hostdiscovery {
+        methods.clear();
+        methods.push(AliveTestMethods::HostDiscoveryIpv6);
+    }
+
     if args.icmp || methods.is_empty() {
         methods.push(AliveTestMethods::Icmp);
     }