-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ipv6 addresses that end in :: get truncated to only one : #796
Comments
This comment has been minimized.
This comment has been minimized.
We are scraping various inputs of ipv6 addresses and all of them seem to output addresses ending in :: I mean the classic loopback ipv6 address is 1:: |
This comment has been minimized.
This comment has been minimized.
Are CIDR blocks of that form handled correctly? For example, 2001:10::/28 By the way, I'm not opposed to fixing the behavior if it's incorrect. I would actually like to help with that, but I'm not completely certain that that style of address is valid (I'm not certain it's invalid either, I was hoping someone that works with ipv6 regularly enough would come along and tell one of us why we're wrong...) Another question, what do applications like ping/ping6, nmap, socat, etc. think about the example address (similar ones) I would be surprised if the implementation in masscan wasn't taken from a sound implementation. But I do find myself often surprised, I guess |
Can you give an example of the exact command you're using? So I can reproduce it and look into it? |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Hey! so I am using master, the problem is in the output once a valid address is found. if the found address ended with :: it outputs open tcp port 1: 1725889082 |
We aren't using cidrs to scan the ipv6 space because it's so large. We have a list of single addresses that have been scraped from various locations, like dns resolutions, and we minify them to help save a little on space. The current work around we have is just when we pull from the masscan output we just check if the ip address ends in : we append the missing one |
Ohhhh... well, I feel very silly then. I assumed the issue was in parsing the target list I think what you're seeing should be an easy fix since it should be a simple issue in one (or all) of the relatively trivial output modules. I'm happy to take a quick stab at a fix and ask A few things that you can help with: 1. Do you see that output on the command line output only, or do you see it with the output formats? Quickest way to check:
^-- exclude whatever -o option you normally use, only use -oB to capture to the compact/lossless binary format Then you can do:
Check each to see of the issue manifests Separately- it sounds like you may be doing this as part of an automated workflow- which is also my use case. If you're interested in tracking the status of the scan as it runs based on the console output, I submitted #564 (--ndjson-status) some years ago, which makes all the console stdout/stderr output line-buffered NDJSON. It beats the heck out of having regex to parse the status, if that's what you're currently doing. Aside from "FYI, it may be helpful to you", I'm also curious if the issue manifests there as well. That's something you would have to manually eyeball in a real scan (or I suppose you could 2>scan.stderr and grep) I would check these things myself but as I mentioned I don't have any ipv6 capable kernels running (meaning I can't even assign a dummy address to an interface, I would have to first reboot) and given that, I can't think of a really quick way to fake a SYN|ACK response that doesn't involve writing code that received and transmits via raw sockets Let me know what you see from those other output formats and then I'll have an easier time of finding the problematic code Thanks |
Hey! Yes I am sadly running this in an automated system where we are doing a form of regexing the output |
This comment has been minimized.
This comment has been minimized.
Now, let's see what other applications do - this isn't exactly an unusual operation (and there was reference up the call stack to borrowing code from another project) |
tcpdump It does seem that the implementation in tcpdump has a case explicitly for trailing zeros This should be relatively simple to fix |
@samJ-bitsight can you be more explicit with regard to how exactly you're invoking masscan, and when/where exactly you're seeing the problematic output?
Asking that third question because I added a full set of tests for the address formatting functions in #801 and included several of the addresses you provided as problematic, but they all passed. None of the inputs produced what you're seeing Perhaps I'm missing some one-off case where the address is not formatted by that common function, which would explain why the test cases didn't bring it to light. If you help me to understand exactly how/when/where you're seeing that output, I can try to see if it's somehow going around it |
Any time to take a look at my last question @samJ-bitsight? I admit that I began this issue convinced this was not a misbehavior at all, but now I'm pretty interested in figuring out what's going on; to that point, I added those test suites, though they didn't uncover any issues 😞 Thanks! |
add suite of ipv6 formatting tests, related to #796
If an address I input ends with :: (example 1:2::) masscan will output the ip as 1:2: which is invalid.
The text was updated successfully, but these errors were encountered: