|
| 1 | +## Description |
| 2 | + |
| 3 | +This auxiliary module probes the local network for IPv6 hosts that respond to Neighbor Solicitations with a link-local address. This module, like the arp_sweep one, will generally only work within the attacking machine’s broadcast domain. |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | +1. Do: ```use auxiliary/scanner/discovery/ipv6_neighbor``` |
| 8 | +2. Do: ```set RHOSTS [IP]``` |
| 9 | +3. Do: ```set SHOST [IP]``` |
| 10 | +4. Do: ```set SMAC [MAC]``` |
| 11 | +5. Do: ```set THREADS [number of threads]``` |
| 12 | +6. Do: ```run``` |
| 13 | + |
| 14 | +In addition to setting our RHOSTS value, we also need to set our source MAC address(SMAC) and source host(SHOST) IP address. We then set our RHOSTS and THREADS values and let the scanner run. |
| 15 | + |
| 16 | +## Scenarios |
| 17 | + |
| 18 | +**Running the scanner** |
| 19 | +``` |
| 20 | +msf > use auxiliary/scanner/discovery/ipv6_neighbor |
| 21 | +msf auxiliary(ipv6_neighbor) > show options |
| 22 | +
|
| 23 | +Module options: |
| 24 | +
|
| 25 | + Name Current Setting Required Description |
| 26 | + ---- --------------- -------- ----------- |
| 27 | + INTERFACE no The name of the interface |
| 28 | + PCAPFILE no The name of the PCAP capture file to process |
| 29 | + RHOSTS yes The target address range or CIDR identifier |
| 30 | + SHOST yes Source IP Address |
| 31 | + SMAC yes Source MAC Address |
| 32 | + THREADS 1 yes The number of concurrent threads |
| 33 | + TIMEOUT 500 yes The number of seconds to wait for new data |
| 34 | +
|
| 35 | +msf auxiliary(ipv6_neighbor) > set RHOSTS 192.168.1.2-254 |
| 36 | +RHOSTS => 192.168.1.200-254 |
| 37 | +msf auxiliary(ipv6_neighbor) > set SHOST 192.168.1.101 |
| 38 | +SHOST => 192.168.1.101 |
| 39 | +msf auxiliary(ipv6_neighbor) > set SMAC d6:46:a7:38:15:65 |
| 40 | +SMAC => d6:46:a7:38:15:65 |
| 41 | +msf auxiliary(ipv6_neighbor) > set THREADS 55 |
| 42 | +THREADS => 55 |
| 43 | +msf auxiliary(ipv6_neighbor) > run |
| 44 | +
|
| 45 | +[*] IPv4 Hosts Discovery |
| 46 | +[*] 192.168.1.10 is alive. |
| 47 | +[*] 192.168.1.11 is alive. |
| 48 | +[*] 192.168.1.2 is alive. |
| 49 | +[*] 192.168.1.69 is alive. |
| 50 | +[*] 192.168.1.109 is alive. |
| 51 | +[*] 192.168.1.150 is alive. |
| 52 | +[*] 192.168.1.61 is alive. |
| 53 | +[*] 192.168.1.201 is alive. |
| 54 | +[*] 192.168.1.203 is alive. |
| 55 | +[*] 192.168.1.205 is alive. |
| 56 | +[*] 192.168.1.206 is alive. |
| 57 | +[*] 192.168.1.99 is alive. |
| 58 | +[*] 192.168.1.97 is alive. |
| 59 | +[*] 192.168.1.250 is alive. |
| 60 | +[*] IPv6 Neighbor Discovery |
| 61 | +[*] 192.168.1.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61 |
| 62 | +[*] 192.168.1.99 maps to IPv6 link local address fe80::5ab0:35ff:fe6a:4ecc |
| 63 | +[*] 192.168.1.97 maps to IPv6 link local address fe80::7ec5:37ff:fef9:a96a |
| 64 | +[*] Scanned 253 of 253 hosts (100% complete) |
| 65 | +[*] Auxiliary module execution completed |
| 66 | +msf auxiliary(ipv6_neighbor) > |
| 67 | +``` |
| 68 | + |
| 69 | +Looking at the module output, you can see that this scanner serves the dual-purpose of showing what hosts are online similar to arp_sweep and then performs the IPv6 Neighbor Discovery. |
0 commit comments