Latest version: 2.1.0

NDPMon in the press

Downloads

Documentation

Plugins

Training

Community

edit SideBar

Populate the neighbors cache

We want to populate the neighbor cache and raise new alerts. To do so, we use the alive6 tool from thc-ipv6 to list all nodes and their addresses:

  1. root@attacker:~
  2. # alive6
  3. alive6 v1.8 (c) 2011 by van Hauser / THC <vh@thc.org> www.thc.org
  4.  
  5. Syntax: alive6 [-dlmrS] [-W TIME] [-i FILE] [-o FILE] [-s NUMBER] interface [unicast-or-multicast-address [remote-router]]
  6.  
  7. Shows alive addresses in the segment. If you specify a remote router, the
  8. packets are sent with a routing header prefixed by fragmentation
  9. Options:
  10.   -i FILE    check systems from input file
  11.   -o FILE    write results to output file
  12.   -m         enumerate from hardware addresses in input fule
  13.   -l         use link-local address instead of global address
  14.   -d         resolve alive ipv6 addresses
  15.   -W TIME    time in ms to wait after sending a packet (default: 10)
  16.   -S         slow mode, get best router for each remote target or when proxy-NA
  17.   -n NUMBER  how often to send each packet (default: 1)
  18.   -s NUMBER  scan type, bit-wise add: 1-ping, 2-invalid header,
  19.              4-invalid hop-by-hop, 8-udp dns, 16-tcp ack highport,
  20.              32-tcp syn ssh, 64-tcp syn web, 128-tcp syn ssl; default: 5
  21.  
  22. root@attacker:~
  23. # alive6 eth1
  24. Alive: fd75:7c74:2274:1:fd:ff:fe00:401
  25. Alive: fd75:7c74:2274:1:fd:ff:fe00:501
  26. Alive: fd75:7c74:2274:1::1
  27. Alive: fd75:7c74:2274:1:fd:ff:fe00:201
  28. Found 5 systems alive
  29.  
  30. root@attacker:~
  31. # alive6 -l eth1
  32. Alive: fe80::fd:ff:fe00:401
  33. Alive: fe80::fd:ff:fe00:501
  34. Alive: fe80::fd:ff:fe00:201
  35. Alive: fe80::fd:ff:fe00:102
  36. Found 5 systems alive

NDPMon detects all hosts and raises low priority alerts accordingly:

  • new station
  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: new station 2:fd:0:0:4:1 fd75:7c74:2274:1:fd:ff:fe00:401
  3. Date: Mon,  9 Jul 2012 12:56:51 +0200 (CEST)
  4. From: root@ndpmon (root)
  5.  
  6. Reason:  :new station
  7. MAC:     :2:fd:0:0:4:1
  8. MAC2:    :n/a
  9. IPv6:    :fd75:7c74:2274:1:fd:ff:fe00:401
  10. DNS:     :n/a
  • new ip
  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: new IP 2:fd:0:0:1:2 fd75:7c74:2274:1::1
  3. Date: Mon,  9 Jul 2012 12:56:52 +0200 (CEST)
  4. From: root@ndpmon (root)
  5.  
  6. Reason:  :new IP
  7. MAC:     :2:fd:0:0:1:2
  8. MAC2:    :n/a
  9. IPv6:    :fd75:7c74:2274:1::1
  10. DNS:     :n/a
  • new lla
  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: new lla 2:fd:0:0:2:1 fe80::fd:ff:fe00:201
  3. Date: Mon,  9 Jul 2012 12:57:01 +0200 (CEST)
  4. From: root@ndpmon (root)
  5.  
  6. Reason:  :new lla
  7. MAC:     :2:fd:0:0:2:1
  8. MAC2:    :n/a
  9. IPv6:    :fe80::fd:ff:fe00:201
  10. DNS:     :n/a

As the vendor corresponding to the code 02:FD:00 is not known, a unknown mac vendor alert is raised as well

  1. To: root@localhost
  2. Subject: NDPMon_Security_Alert: unknown mac vendor 2:fd:0:0:4:1 fd75:7c74:2274:1:fd:ff:fe00:401
  3. Date: Mon,  9 Jul 2012 12:56:51 +0200 (CEST)
  4. From: root@ndpmon (root)
  5.  
  6. Reason:  :unknown mac vendor
  7. MAC:     :2:fd:0:0:4:1
  8. MAC2:    :n/a
  9. IPv6:    :fd75:7c74:2274:1:fd:ff:fe00:401
  10. DNS:     :n/a