twobee - Fotolia


Network reconnaissance: How to use SI6 Networks' IPv6 toolkit

SI6 Networks' IPv6 toolkit can do network reconnaissance using search engines and the Certificate Transparency framework. Learn how to use IPv6 toolkits from expert Fernando Gont.

The vast IPv6 address space makes traditional brute-force address scanning attacks unfeasible. While many sites employ specific IPv6 address patterns that enable heuristic address scans, IPv6 -- more than its IPv4 counterpart -- requires that multiple complementary techniques be applied for IPv6 network reconnaissance.

In this tip, we explore two complementary techniques for network reconnaissance: the automated use of search engines and the exploration of the Certificate Transparency framework. These techniques are also applicable to the IPv4 world, but certainly gain more relevance for IPv6.

Leveraging search engines

Search engines can be a valuable source when looking for web servers and other indexable servers, such as FTP servers. Most search engines support the special keyword site, which requires the search engine to restrict results to the specified domain.

For example, one could obtain servers under the domain by specifying the search string Search engines become much more useful for security professionals when their results can be obtained in plaintext, such that they can be more easily processed by custom scripts.

The script6 tool in the SI6 Networks' IPv6 toolkit enables the user to employ a search engine to search for systems under a specified domain, discard any duplicate results and return the resulting domains names as plaintext.

For example, one could obtain a list of hostnames under the domain using Microsoft's Bing search engine using this command:

$ script6 get-bing

Also, if you have a list of domains in a text file, shell pipes could be employed as follows:

$ cat mydomains.txt | script6 get-bing-batch

Both the get-bing and get-bing-batch commands issue queries with an appropriate site keyword to the Bing search engine and automatically iterate through the results pages. Once the search engine starts to return a large number of duplicate domain names, the tools employ some simple tricks to avoid duplicate domains and obtain new ones. These two commands -- get-bing and get-bing-batch -- are efficient in obtaining subdomains of the specified domain name when the number of subdomains is rather small -- on the order of a few thousand domain names.

For cases in which a domain might have a large number of subdomains, it is usually possible to produce more exhaustive results by employing a dictionary to feed words into the search engine. A number of dictionaries for some of the most popular languages can be obtained from GitHub using the following command:

$ git clone

The script6 tool can then leverage one of the dictionaries by searching through the chosen dictionary with this command:

$ script6 get-bing-dict ./dictionaries/english.dic

And, if a list of domains is available in a text file, shell pipes can be employed to search through those domains as follows:

$ cat mydomains.txt | script6 get-bing-dict-batch ./dictionaries/english.dic

Because these commands issue search queries using each of the words in the dictionary, they produce more exhaustive results, but it may take longer to discover a small set of subdomains of a given domain. This is because using some or many of the keywords in the dictionary might yield no results at all.

Using the Certificate Transparency framework

The Certificate Transparency framework is meant to mitigate the problem of maliciously or mistakenly issued certificates, leaving the issuance and existence of SSL certificates open to scrutiny by domain owners, certificate authorities and domain users. One of the key components of the Certificate Transparency framework is the certificate logs, which are append-only repositories of all the known certificates, and where all SSL certificates should be recorded.

Some companies provide a web interface to query such logs; however, as with search engines, these sources of information tend to be much more useful when the results can be printed in plaintext so that they can be subsequently processed by custom scripts.

The script6 tool enables the user to query the certificate logs for subdomains of a specified domain. For example, it could be used to query for subdomains of the domain as follows:

$ script6 get-crt

Or, given a list of domains in a file, you may create the following pipeline to obtain subdomains for each of the domains:

$ cat mydomains.txt | script6 get-crt-batch

The domain names returned by this command imply that certificates have been generated for them at one point in time, but not that the corresponding nodes are currently online or reachable on the public internet. This is in contrast to the results obtained from search engines, which always correspond to sites that are reachable from the public internet.

Obtaining further information

The domain names obtained via search engines and the Certificate Transparency framework can be employed as a starting point for network reconnaissance. For example, one could easily obtain the authoritative domain name servers and the mail servers for those domains via the script6 tool. A user can also perform an address scan for the specific IPv6 address patterns employed by each of the domain names with the scan6 tool in the toolkit.

Search engines and the Certificate Transparency framework are two great sources from which to obtain subdomains of a specific domain name. The script6 tool in the IPv6 toolkit can obtain information from both of these sources and return results in plaintext such that they can be processed by other tools or custom scripts.

These two techniques are also applicable to IPv4 networks. However, they become more relevant for IPv6 networks because some of the network reconnaissance techniques traditionally employed in IPv4 networks -- such as brute-force address scans -- are no longer feasible in the IPv6 world.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing