local coroutine = require "coroutine" local ipOps = require "ipOps" local nmap = require "nmap" local packet = require "packet" local stdnse = require "stdnse" local string = require "string" local tab = require "tab" local table = require "table" local target = require "target" description = [[ Sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address (ff02::1) to discover (some) available hosts on the LAN. This works because some hosts will respond to this probe with an ICMPv6 Parameter Problem packet. ]] --- -- @usage -- ./nmap -6 --script=targets-ipv6-multicast-invalid-dst.nse --script-args 'newtargets,interface=eth0' -sP -- @output -- Pre-scan script results: -- | targets-ipv6-multicast-invalid-dst: -- | IP: 2001:0db8:0000:0000:0000:0000:0000:0001 MAC: 11:22:33:44:55:66 IFACE: eth0 -- |_ Use --script-args=newtargets to add the results as targets -- @args targets-ipv6-multicast-invalid-dst.interface The interface to use for host discovery. author = {"David Fifield", "Xu Weilin"} license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"discovery","broadcast"} prerule = function() return nmap.is_privileged() end --- Build an IPv6 invalid extension header. -- @param nxt_hdr integer that stands for next header's type local function build_invalid_extension_header(nxt_hdr) -- RFC 2640, section 4.2 defines the TLV format of options headers. -- It is important that the first byte have 10 in the most significant -- bits; that instructs the receiver to send a Parameter Problem. -- Option type 0x80 is unallocated; see -- http://www.iana.org/assignments/ipv6-parameters/. return string.char(nxt_hdr, 0) .. --next header, length 8 "\x80\x01\x00\x00\x00\x00" end local function filter_interfaces(if_table) if ipOps.ip_to_str(if_table.address) and if_table.link == "ethernet" then return if_table end end local function single_interface_broadcast(if_nfo, results) stdnse.debug1("Starting " .. SCRIPT_NAME .. " on " .. if_nfo.device) local condvar = nmap.condvar(results) local src_mac = if_nfo.mac local src_ip6 = ipOps.ip_to_str(if_nfo.address) local dst_mac = packet.mactobin("33:33:00:00:00:01") local dst_ip6 = ipOps.ip_to_str("ff02::1") ---------------------------------------------------------------------------- --Multicast invalid destination exheader probe local dnet = nmap.new_dnet() local pcap = nmap.new_socket() local function catch () dnet:ethernet_close() pcap:pcap_close() end local try = nmap.new_try(catch) try(dnet:ethernet_open(if_nfo.device)) pcap:pcap_open(if_nfo.device, 128, false, "icmp6 and ip6[6:1] = 58 and ip6[40:1] = 4") local probe = packet.Frame:new() probe.mac_src = src_mac probe.mac_dst = dst_mac probe.ip_bin_src = src_ip6 probe.ip_bin_dst = dst_ip6 -- In addition to setting an invalid option in -- build_invalid_extension_header, we set an unknown ICMPv6 type of -- 254. (See http://www.iana.org/assignments/icmpv6-parameters for -- allocations.) Mac OS X 10.6 appears to send a Parameter Problem -- response only if both of these conditions are met. In this we differ -- from the alive6 tool, which sends a proper echo request. probe.icmpv6_type = 254 probe.icmpv6_code = 0 -- Add a non-empty payload too. probe.icmpv6_payload = "\x00\x00\x00\x00" probe:build_icmpv6_header() probe.exheader = build_invalid_extension_header(packet.IPPROTO_ICMPV6) probe.ip6_nhdr = packet.IPPROTO_DSTOPTS probe:build_ipv6_packet() probe:build_ether_frame() try(dnet:ethernet_send(probe.frame_buf)) pcap:set_timeout(1000) local pcap_timeout_count = 0 local nse_timeout = 5 local start_time = nmap:clock() local cur_time = nmap:clock() local addrs = {} repeat local status, length, layer2, layer3 = pcap:pcap_receive() cur_time = nmap:clock() if not status then pcap_timeout_count = pcap_timeout_count + 1 else local l2reply = packet.Frame:new(layer2) if l2reply.mac_dst == src_mac then local reply = packet.Packet:new(layer3) local target_str = reply.ip_src if not results[target_str] then if target.ALLOW_NEW_TARGETS then target.add(target_str) end results[#results + 1] = { address = target_str, mac = stdnse.format_mac(l2reply.mac_src), iface = if_nfo.device } results[target_str] = true end end end until pcap_timeout_count >= 2 or cur_time - start_time >= nse_timeout dnet:ethernet_close() pcap:pcap_close() condvar("signal") end local function format_output(results) local output = tab.new() for _, record in ipairs(results) do tab.addrow(output, "IP: " .. record.address, "MAC: " .. record.mac, "IFACE: " .. record.iface) end if #results > 0 then output = { tab.dump(output) } if not target.ALLOW_NEW_TARGETS then output[#output + 1] = "Use --script-args=newtargets to add the results as targets" end return stdnse.format_output(true, output) end end action = function() local threads = {} local results = {} local condvar = nmap.condvar(results) for _, if_nfo in ipairs(stdnse.get_script_interfaces(filter_interfaces)) do -- create a thread for each interface local co = stdnse.new_thread(single_interface_broadcast, if_nfo, results) threads[co] = true end repeat for thread in pairs(threads) do if coroutine.status(thread) == "dead" then threads[thread] = nil end end if ( next(threads) ) then condvar "wait" end until next(threads) == nil return format_output(results) end