Script dns-ip6-arpa-scan

Script types: prerule
Categories: intrusive, discovery
Download: https://svn.nmap.org/nmap/scripts/dns-ip6-arpa-scan.nse

Script Summary

Performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks.

The technique essentially works by adding an octet to a given IPv6 prefix and resolving it. If the added octet is correct, the server will return NOERROR, if not a NXDOMAIN result is received.

The technique is described in detail on Peter's blog: http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa

See also:

• dns-nsec3-enum.nse
• dns-nsec-enum.nse
• dns-brute.nse
• dns-zone-transfer.nse

Script Arguments

prefix

the ip6 prefix to scan

mask

the ip6 mask to start scanning from

Example Usage

nmap --script dns-ip6-arpa-scan --script-args='prefix=2001:0DB8::/48'

Script Output

Pre-scan script results:
| dns-ip6-arpa-scan:
| ip                                 ptr
| 2001:0DB8:0:0:0:0:0:2              resolver1.example.com
|_2001:0DB8:0:0:0:0:0:3              resolver2.example.com

Requires

• coroutine
• dns
• ipOps
• nmap
• stdnse
• string
• tab
• table

---

Author:

• Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html