General security

IPv6 Surface Analyzer

June 6, 2012 by Vinod Mondhekar

IPv 6 is a version of IP after succeeds of IPv4. Just like IPv4, IPv6 is an internet-layer protocol for packet-switched internetworking.
While IPv4 uses 32 bits for an IP address, and therefore has 232 (4 294 967 296) possible addresses that are given below, IPv6 uses 128-bit addresses, for an address space of 2128 (approximately 3.4×1038) addresses that are given below.

Ex of IPv4:

Ex of IPv6: 2003:0ba1:01e1:d001:1ae0:0100:d0f0:0010

IPv6 unicast addresses other than those that start with binary 000 are logically divided into two parts: a 64-bit (sub-) network prefix, and a 64-bit interface identifier.

The address consists of 128 bits, versus the 32 bits of currently IPv4 addresses. It is represented as 8 groups of 16 bits each one, separated by the “:” character.

Each 16 bits group is represented by means of 4 hexadecimal ciphers, that is, each cipher has a value between 0 and 15 (0,1,2, … a,b,c,d,e,f being a=10, b=11, etc to f=15).

Like IPv4, IPv6 supports globally unique static IP addresses, which can be used to track a single device’s Internet activity. Most devices are used by a single user, so a device’s activity is often assumed to be equivalent to a user’s activity. This is a cause for concern to anyone who has political, social, or economic reasons for keeping their Internet activity secret.

Activity tracking based on IP address is a potential privacy issue for all IP-enabled devices. However, device activity can be particularly simple to track when the host identifier portion of the IPv6 address is automatically generated from the network interface’s MAC address.

Privacy extensions for IPv6 have been defined to address these privacy concerns. When privacy extensions are enabled, the operating system generates ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix. These ephemeral addresses, instead of trackable static IP addresses, are used to communicate with remote hosts. The use of ephemeral addresses makes it difficult to accurately track a user’s Internet activity by scanning activity streams for a single IPv6 address. Privacy extensions are enabled by default in Windows, Mac OS X (since 10.7), and iOS since version 4.3. Some Linux distributions have enabled privacy extensions as well.

Privacy extensions do not protect the user from other forms of activity tracking, such as tracking cookies. Privacy extensions do little to protect the user from tracking if only one or two hosts are using a given network prefix, and the activity tracker is privy to this information. In this scenario, the network prefix is the unique identifier for tracking. Network prefix tracking is less of a concern if the user’s ISP assigns a dynamic network prefix via DHCP

The largest limiting factor of IPv4 is the available number of addresses. When IPv4 was created, there were many, many fewer internet-connected machines that required address, therefore the available 4.3 billion defined addresses was considered to be more than sufficient. However due to large number of reserved addresses and the huge growth in internet use, we are rapidly running out of available address.

Classless Inter-domain routing (CIDR) and network address translation (NAT) are two technologies created to help delay the depletion of available addresses, but it is just a matter of time before no more IPv4 addresses are available.

One of the features of IPv6 is its ability to auto configure, which eliminates the need for DHCP to obtain address assignment. So now we actually know why IPv6 are important for us.

Beyond the challenges associated with IPv6, there are some new vulnerabilities as well. For example, ARP spoofing is still possible, but now it’s done by using neighbor discovery (ND) instead. MITM attacks are also still possible when IPv6 is in use and variety of DOS attacks are possible against IPv6 routers (though DoS attacks should not be performed as part of a penetration test.)

For finding the MAC addresses ,finding the open port and associated IPv6 address we need one all in one tool i.e. IPv6_surface_analyzer. And because of its open source we can download and use free.

Following are step by step procedure for IPv6_surface_analyzer:

First download and extract that tar file, then for using this tool in LAN we have to start our VMware system. This is samurai live CD that I am using for creating lan, samurai live CD is OS like backtrack. Samurai is specially for web application pen testing. After booting live CD I am checking it’s the IPv4, IPv6 and (physical address) MAC address.

Start terminal then
à ifconfig [Enter]

It shows us all the relevant information about

Screenshot No. 1:

The red dot shows the information that we need here. This is Windows XP professional that I am using for 2nd system in LAN, after booting system I am checking it’s IPv4 and (physical address) MAC address.

Start thenà run à cmd [Enter]

Type – ipconfig /all

It shows us all the relevant information about

Screenshot No. 2:

The red dot shows the information that we need here.

Now use Nmap tool for checking which ports are normally opens on that both systems. Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing.

Syntax: Nmap [Scan Type(s)] [Options] {target specification}

Scan Types

  • -sS, Syn
  • -sT, Connect
  • -sA, Ack


  • -O, OS
  • -sV, services
  • -v, verbose

Ex: nmap

  • Default scan, full SYN, top 1000 ports

So we are using Nmap and output shows 3 ports are open i.e. 80 associated with http, 443 associated with https and last 5001 associated with complex-link and MAC address that is 00:0C:29:47:22:D3 (VMware)

Screenshot No. 3:

Nmap and output shows 3 ports are open i.e. 135 associated with msrpc, 139 associated with netbios-ssn and 445 associated with Microsoft-ds and MAC address that is 00:0C:29:C7:DB:2D (VMware)

Screenshot No. 4:

Now the main works start here, we are using ipv6_surface_analyzer for finding alive system and dead system.

We have to give input, which is only a range of IPv4 and the interface.

Syntax of the ipv6_surface_analyzer is following:

./ [starting address of ipv4][ending address of ipv4] [interface]

Screenshot No. 5:

Here is condition like, when we write range of IP for scan we must write lower starting IP first and then higher IP second.

After successfully running ipv6_surfce_analyzer, output shows all the above result in one screen.

Ex: ./ eth0

Here starting address is and the ending address is both are IPv4 and the interface is eth0.

The result contains the alive and dead IPv4 address;

If the system is alive:

à Then it checks for the MAC address and

à Corresponding IPv6 address and

à Also it show which ports are open by default.

Here we cross-check our last ifconfig/ ipconfig and nmap’s output with the ipv6_surface_analyzer’s output screen.

Because sometimes we don’t have time to run multiple tools and check their output, this is good tool for all the needful things in one output screen.


Introduction to IPv6 addressing and configuration


Vinod Mondhekar

IS Consultant

Posted: June 6, 2012
Vinod Mondhekar
View Profile

Vinod Mondhekar, IS Consultant (CEH) & researcher at InfoSec Institute. Summary of Skills: • One and half years of professional experience in Information Security (VAPT). • Extensive knowledge of all aspects of Information security • Ability to solve complex problems in a simple and accurate manner • Flexibility, strategic problem solver with good time management skills • Working experience with client. • Highly skilled in Vulnerability assessment, Penetration testing, project Management. Certifications and Affiliations: • Certified Ethical Hacker v7 (CEH) from EC-council, 2011 • Certified “Information security & Ethical Hacker” from Appin Technology lab, 2010. Facebook Page owner: Information security consultant (