twobee - Fotolia
The vast IPv6 address space makes traditional brute-force address scanning attacks unfeasible. While many sites employ specific IPv6 address patterns that enable heuristic address scans, IPv6 -- more than its IPv4 counterpart -- requires that multiple complementary techniques be applied for IPv6 network reconnaissance.
In this tip, we explore two complementary techniques for network reconnaissance: the automated use of search engines and the exploration of the Certificate Transparency framework. These techniques are also applicable to the IPv4 world, but certainly gain more relevance for IPv6.
Leveraging search engines
Search engines can be a valuable source when looking for web servers and other indexable servers, such as FTP servers. Most search engines support the special keyword site, which requires the search engine to restrict results to the specified domain.
For example, one could obtain servers under the example.com domain by specifying the search string site:example.com. Search engines become much more useful for security professionals when their results can be obtained in plaintext, such that they can be more easily processed by custom scripts.
The script6 tool in the SI6 Networks' IPv6 toolkit enables the user to employ a search engine to search for systems under a specified domain, discard any duplicate results and return the resulting domains names as plaintext.
For example, one could obtain a list of hostnames under the example.com domain using Microsoft's Bing search engine using this command:
$ script6 get-bing example.com
Also, if you have a list of domains in a text file, shell pipes could be employed as follows:
$ cat mydomains.txt | script6 get-bing-batch
Both the get-bing and get-bing-batch commands issue queries with an appropriate site keyword to the Bing search engine and automatically iterate through the results pages. Once the search engine starts to return a large number of duplicate domain names, the tools employ some simple tricks to avoid duplicate domains and obtain new ones. These two commands -- get-bing and get-bing-batch -- are efficient in obtaining subdomains of the specified domain name when the number of subdomains is rather small -- on the order of a few thousand domain names.
For cases in which a domain might have a large number of subdomains, it is usually possible to produce more exhaustive results by employing a dictionary to feed words into the search engine. A number of dictionaries for some of the most popular languages can be obtained from GitHub using the following command:
$ git clone https://github.com/fgont/dictionaries.git
The script6 tool can then leverage one of the dictionaries by searching through the chosen dictionary with this command:
$ script6 get-bing-dict example.com ./dictionaries/english.dic
And, if a list of domains is available in a text file, shell pipes can be employed to search through those domains as follows:
$ cat mydomains.txt | script6 get-bing-dict-batch ./dictionaries/english.dic
Because these commands issue search queries using each of the words in the dictionary, they produce more exhaustive results, but it may take longer to discover a small set of subdomains of a given domain. This is because using some or many of the keywords in the dictionary might yield no results at all.
Using the Certificate Transparency framework
The Certificate Transparency framework is meant to mitigate the problem of maliciously or mistakenly issued certificates, leaving the issuance and existence of SSL certificates open to scrutiny by domain owners, certificate authorities and domain users. One of the key components of the Certificate Transparency framework is the certificate logs, which are append-only repositories of all the known certificates, and where all SSL certificates should be recorded.
Some companies provide a web interface to query such logs; however, as with search engines, these sources of information tend to be much more useful when the results can be printed in plaintext so that they can be subsequently processed by custom scripts.
The script6 tool enables the user to query the certificate logs for subdomains of a specified domain. For example, it could be used to query for subdomains of the example.com domain as follows:
$ script6 get-crt example.com
Or, given a list of domains in a file, you may create the following pipeline to obtain subdomains for each of the domains:
$ cat mydomains.txt | script6 get-crt-batch
The domain names returned by this command imply that certificates have been generated for them at one point in time, but not that the corresponding nodes are currently online or reachable on the public internet. This is in contrast to the results obtained from search engines, which always correspond to sites that are reachable from the public internet.
Obtaining further information
The domain names obtained via search engines and the Certificate Transparency framework can be employed as a starting point for network reconnaissance. For example, one could easily obtain the authoritative domain name servers and the mail servers for those domains via the script6 tool. A user can also perform an address scan for the specific IPv6 address patterns employed by each of the domain names with the scan6 tool in the toolkit.
Search engines and the Certificate Transparency framework are two great sources from which to obtain subdomains of a specific domain name. The script6 tool in the IPv6 toolkit can obtain information from both of these sources and return results in plaintext such that they can be processed by other tools or custom scripts.
These two techniques are also applicable to IPv4 networks. However, they become more relevant for IPv6 networks because some of the network reconnaissance techniques traditionally employed in IPv4 networks -- such as brute-force address scans -- are no longer feasible in the IPv6 world.