Advances in IPv6 network reconnaissance

By on 8 Jun 2018

Category: Tech matters

Tags: , , , ,

Blog home

During the recent TROOPERS18 conference in Heidelberg, Germany, and the subsequent x33fcon conference in Gdynia, Poland, I presented some findings from an IPv6 network reconnaissance project I’ve been working on, along with a number of tools that have been recently incorporated into the SI6 Networks’ IPv6 Toolkit that I maintain.

Much of my recent work on the IPv6 Toolkit was triggered by the need to perform global-scale Internet measurements, for example, a whole continent or economy, rather than focusing on one specific site, subdomain, or prefix, target.

This post describes some of the tools that have been incorporated into the SI6 IPv6 Toolkit with that goal in mind, along with a few practical examples.

Installing the IPv6 Toolkit

While the Toolkit is readily available in the package systems of a number of operating systems (such as Debian and FreeBSD), the most recommended way of installing the toolkit is to clone the official source code repository, and subsequently compile and install the toolkit from it. Given appropriate privileges, this can be achieved with the command:

git clone ; cd ipv6toolkit; make install

Obtaining domain datasets

When doing IPv6 network reconnaissance on a global scale, you may need to come up with a large dataset of hostnames.

Let’s start at the very top level: the list of Top-Level Domains (TLDs) can be obtained with the IPv6 Toolkit as follows:

$ script6 get-root-zone

Or, if you were interested in County-Code Top-Level Domains (ccTLDs) for a specific Regional Internet Registry, such as APNIC, you could obtain such list with:

$ script6 get-tld-for-rir apnic

Similarly, the ccTLDs for a given continent can be obtained with:

$ script6 get-tld-for-continent Asia

On some occasions, you may want to obtain the list of known suffixes for a given ccTLD. For example, the suffixes for the ‘.jp’ ccTLD can be easily obtained with:

$ script6 get-suffix-for-tld jp

You may employ shell pipes with these commands, too. For example, you could obtain all the suffixes for all the ccTLDs of Asia with:

$ script6 get-tld-for-continent asia | script6 get-suffix-for-tld

Leveraging search engines

Search engines can be a very valuable source of hostnames. Given a specific DNS zone, say,, you may obtain DNS names for such a zone, as follows:

$ script6 get-bing

If you have a list of zones (whether dynamically obtained via the commands described above, or simply stored in a text file), shell pipes could be employed as follows:

$ cat myzones.txt | script6 get-bing-batch

The ‘get-bing’ and ‘get-bing-batch’ commands of the script6 tool produce acceptable results in many scenarios but can be suboptimal when the goal is to produce a more exhaustive list of host names for a given zone. Such a goal can be better achieved by employing a dictionary (of an appropriate language) to feed words to the search engine. A number of dictionaries for some of the most popular languages can be obtained by means of:

$ git clone

Search engines may be leveraged with the help of an appropriate dictionary as follows:

$ script6 get-bing-dict ./dictionaries/spanish.dic

The following shell pipes may be employed to obtain hostnames for ccTLDs of the LACNIC region, by leveraging search engines with the help of a Spanish dictionary:

$ script6 get-tld-for-rir lacnic | script6 get-bing-dict-batch ./dictionaries/spanish.dic

Leveraging Certificate Transparency

Certificate Transparency (CT) helps to address some structural problems in the certificate system. But it also provides another vector for obtaining hostnames.

You can leverage CT to obtain hostnames for, say, the zone, as follows:

$ script6 get-crt

Or, given a list (one per line) of zones, you may create the following pipeline to obtain hostnames for all of such zones:

$ script6 get-suffix-for-tld jp | script6 get-crt-batch

Give it a try

Both search engines and CT can be leveraged to obtain hostnames for a specific DNS zone — whether that of a whole economy, or some specific organization. These techniques can be employed along with other network reconnaissance techniques for improved results.

More information on this topic is available in RFC7707 Network Reconnaissance in IPv6 Networks as well as a video of my presentation from TROOPERS18 below.

Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations from around the world.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *