Re: Track Down IPv6 Client

rhornberger · ‎10-06-2010

Hi All,

I think it's about time to buy an Implementing Cisco IPv6 book for me... How in the world do I track down an IPv6 client in my network. I didn't even realize that IPv6 was possible in my network without me turning on some IPv6 routing functionality which I havn't done yet unless it's on by default in a SUP720 within a 6509. My MARS box keeps alerting me however to an IPv6 host that is up to something on the network and I have no idea how to track it down, the usual sh arp, etc don't seem to provide any details, and I thought maybe the sh ipv6 neighbors command might show some link locals (no dice), BGP dosn't show any random connected IPv6 addresses, etc:

evIdsAlert: eventId="1286219265976162966" severity="high" vendor="Cisco"
    originator:
        hostId: ********
        appName: sensorApp
        appInstanceId: 644
    time: Oct 5 2010 15:51:26 EDT (1286308286391787000) offset="-240" timeZone="UTC"
    signature: created="20050603" type="vulnerability" version="S433" description="UPnP LOCATION Overflow" id="4058"
        subsigId: 2
        sigDetails: LOCATION \x3c100+ Chars>
        marsCategory: Penetrate/BufferOverflow/Misc
    interfaceGroup: vs0
    vlan: 15
    participants:
        attacker:
            addr: 0.0.0.0 locality="OUT"
            port: 1900
          ipv6Address: fe80::f515:3a70:a0a2:a1fe locality="OUT"
        target:
            addr: 0.0.0.0 locality="OUT"
            port: 1900
            ipv6Address: ff02::c locality="OUT"
            os: idSource="unknown" relevance="unknown" type="unknown"
    riskRatingValue: 90 targetValueRating="medium"
    threatRatingValue: 90
    interface: ge0_7

I googled and searched these forums for the same question that I'm sure other's have and didn't find any good results. Is there any functionality I need to turn on to track these hosts down? I'm not even running a box that has IPv6 support enabled so I couldn't do any traces or pings... Oy vey!

Seth Bjorn · ‎10-06-2010

Well if you don't have IPv6 enabled on your switch you can still probably figure out what host that is because of the type of address it is. That address is a link-local ip6 address so it will only be on the same broadcast domain where that sensor is, unless it's an rspan port or such. Anyways, since it's a link-local address it most likely is using the last 64 bits of the address from it's 48bit mac address.

This link can show you how to find out how to convert a 48bit mac address to a link local address: http://msdn.microsoft.com/en-us/library/ms737595(VS.85).aspx

Once you know what the mac address is, it should be fairly simple process of finding what switchport it came from.

Phillip Remaker · ‎11-02-2010

Well, the good news is that this device, whatever is it, should be on the same layer 2 network ("link") as the sensor.

Any modern MacOS or Windows Vista PC speak IPV6 out of the box and at the link layer (but doesn't get a Global Address unless you set up an IPV6 router.)

Running "Network Map" on a Windows 7 or Windows Vista machine may be illustrative.

Ping the address from a machine on that segment, and then

netsh interface ipv6 show neighbors

in a command window

rhornberger · ‎11-02-2010

I like this one... I did track down the client using the other method, but, this is a nice feature also... Nice mapping of the IPv6 to the IPv4 addressing.