xmap v2.0 releases: performing Internet-wide IPv6 & IPv4 network research scanning

XMap: The Internet Scanner

XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the “5 minutes” probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes. With a 10 GigE connection and PF_RING, XMap can scan the 32-bits address space in under 5 minutes. Moreover, leveraging the novel IPv6 scanning approach, XMap can discover the IPv6 Network Periphery fast. Furthermore, XMap can scan the network space randomly with any length and at any position, such as 2001:db8::/32-64 and 192.168.0.1/16-20. Besides, XMap can probe multiple ports simultaneously.

XMap operates on GNU/Linux, Mac OS, and BSD. XMap currently has implemented probe modules for ICMP Echo scans, TCP SYN scans, and UDP probes.

With banner grab and TLS handshake tool, ZGrab2, more involved scans could be performed.

Paper

Fast IPv6 Network Periphery Discovery and Security Implications.

Abstract. Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bits address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now.

To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery’s packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP’s and home routers with an amplification factor of >200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Changelog v2.0

• New feature:
  • new module dnsx : enable DNS over IPv6
  • new module dnsa (IPv4&IPv6): enable changing source port & TXID when sending multiple queries towards the same target <IP, port>
  • new module dnsae (IPv4&IPv6): enable changing source port & TXID when sending multiple queries towards the same target <IP, port> with EDNS0=4096
  • new module dnsan (IPv4&IPv6): enable fixed source port & TXID when sending multiple queries towards the same target <IP, port>
  • new module dnsane (IPv4&IPv6): enable fixed source port & TXID when sending multiple queries towards the same target <IP, port> with EDNS0=4096
  • new module dnsane16 (IPv4&IPv6): enable fixed source port & TXID when sending multiple queries towards the same target <IP, port> with EDNS0=65535
  • new module dnsai (IPv4&IPv6): enable changing TXID when sending multiple queries towards the same target <IP, port>
  • new module dnsaie (IPv4&IPv6): enable changing TXID when sending multiple queries towards the same target <IP, port> with EDNS0=4096
  • new module dnsap (IPv4&IPv6): enable changing source port when sending multiple queries towards the same target <IP, port>
  • new module dnsape (IPv4&IPv6): enable changing source port when sending multiple queries towards the same target <IP, port> with EDNS0=4096
  • new module dnsaf (IPv4&IPv6): enable changing source port & TXID when sending multiple queries towards the same target <IP, port> with fake source IP
  • new module dnsafe (IPv4&IPv6): enable changing source port & TXID when sending multiple queries towards the same target <IP, port> with EDNS0=4096 & source IP

Install & Use

Copyright 2021 Xiang Li from Network and Information Security Lab Tsinghua University