local ipOps = require "ipOps"
local nmap = require "nmap"
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local table = require "table"
local target = require "target"
description = [[
This script runs in the pre-scanning phase to map IPv4 addresses onto IPv6
networks and add them to the scan queue.
The technique is more general than what is technically termed "IPv4-mapped IPv6
addresses." The lower 4 bytes of the IPv6 network address are replaced with the
4 bytes of IPv4 address. When the IPv6 network is ::ffff:0:0/96, then the
script generates IPv4-mapped IPv6 addresses. When the network is ::/96, then it
generates IPv4-compatible IPv6 addresses.
]]
---
-- @usage
-- nmap -6 --script targets-ipv6-map4to6 --script-args newtargets,targets-ipv6-map4to6.IPv4Hosts={192.168.1.0/24},targets-ipv6-subnet={2001:db8:c0ca::/64}
--
-- @output
-- Pre-scan script results:
-- | targets-ipv6-map4to6:
-- | node count: 256
-- | addresses:
-- |_ 2001:db8:c0ca:0:0:0:c0a8:100/120
--
-- @args targets-ipv6-map4to6.IPv4Hosts This must have at least one IPv4
-- Host for the script be able to work
-- (Ex. 192.168.1.1 or
-- { 192.168.1.1, 192.168.2.2 } ) or Subnet
-- Addresses ( 192.168.1.0/24 or
-- { 192.168.1.0/24, 192.168.2.0/24 } )
--
-- @args targets-ipv6-subnet Table/single IPv6 address with prefix
-- (Ex. 2001:db8:c0ca::/48 or
-- { 2001:db8:c0ca::/48, 2001:db8:FEA::/48 })
--
-- @xmloutput
-- 256
--
-- 2001:db8:c0ca:0:0:0:c0a8:100/120
--
--
-- Version 1.4
-- Update 01/12/2014 - V 1.4 Update for inclusion in Nmap by Daniel Miller
-- Update 05/05/2014 - V 1.3 Eliminate the Host phase.
-- Update 05/05/2014 - V 1.2 Minor corrections and standardization.
-- Update 18/10/2013 - V 1.1 Added SaveMemory option
-- Update 29/03/2013 - V 1.0 Functional script
-- Created 28/03/2013 - v0.1 Created by Raúl Fuentes
--
author = "Raúl Armando Fuentes Samaniego"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {
"discovery",
}
local function split_prefix (net)
local split = stringaux.strsplit("/", net)
return split[1], tonumber(split[2])
end
---
-- This function will add all the list of IPv4 host to IPv6
--
-- The most normal is returning X:X:X:X::Y.Y.Y.Y/128
-- The conversion is going to be totally IPv6 syntax (we are going to
-- concatenate strings).
-- @param IPv6_Network A IPv6 Address ( X:X:X:X::/YY )
-- @param IPv4SHosts A IPv4 String can be: X.X.X.X or X.X.X.X/YY
-- @param addr_table A table to hold the generated addresses.
-- @return Number Total successfully nodes added to the scan.
-- @return Error A warning if something happened. (Nil otherwise)
local From_4_to_6 = function (IPv6_Network, IPv4SHosts, addr_table)
--We check if the PRefix are OK, anything less than 96 is fine
local v6_base, IPv6_Prefix = split_prefix(IPv6_Network)
if IPv6_Prefix > 96 then
return 0, string.format("The IPv6 subnet %s can't support a direct Mapping 4 to 6.", IPv6_Network)
end
local sBin6, sError = ipOps.ip_to_bin(v6_base)
if sBin6 == nil then
return 0, sError
end
-- two options: String or Table, the bes thing to do: make string Table
local tTabla
if type(IPv4SHosts) == "table" then
tTabla = IPv4SHosts
else
tTabla = { IPv4SHosts }
end
stdnse.debug1("Total IPv4 objects to analyze: %d for IPv6 subnet %s",
#tTabla, IPv6_Network)
local iTotal = 0
for _, Host in ipairs(tTabla) do
stdnse.debug2("IPv4 Object: %s", Host)
local v4base, prefix = split_prefix(Host)
local sBin4
sBin4, sError = ipOps.ip_to_bin(v4base)
if sBin4 == nil then
return 0, sError
end
local IPAux
IPAux, sError = ipOps.bin_to_ip(sBin6:sub(1, 96) .. sBin4)
if prefix then
prefix = prefix + (128 - 32) -- adjust for different address lengths
IPAux = string.format("%s/%d", IPAux, prefix)
else
prefix = 128
end
stdnse.debug2("IPv6 address: %s", IPAux)
addr_table[#addr_table+1] = IPAux
if target.ALLOW_NEW_TARGETS then
local bool
bool, sError = target.add(IPAux)
if bool then
iTotal = iTotal + 2^(128 - prefix)
else
stdnse.debug1("Error adding node %s: %s", IPAux, sError)
end
else
iTotal = iTotal + 2^(128 - prefix)
end
end
return iTotal
end
local IPv4Sub = stdnse.get_script_args(SCRIPT_NAME .. ".IPv4Hosts")
local IPv6User = stdnse.get_script_args("targets-ipv6-subnet")
---
-- We populated the host discovery list.
local Prescanning = function ()
local errors = {}
local tSalida = {
Nodos = 0,
addrs = {},
}
local Grantotal = 0
stdnse.debug2("Beginning the work.")
if type(IPv6User) == "string" then
IPv6User = { IPv6User }
end
-- TODO: Gather IPv6 subnets from other sources.
-- This was implemented in the original version of the script, but stripped
-- for now until the other scripts are integrated.
-- http://seclists.org/nmap-dev/2013/q4/285
for _, IPv6_Subnet in ipairs(IPv6User) do
stdnse.debug1("Processing %s", IPv6_Subnet)
local IPv6Host, sError = From_4_to_6(IPv6_Subnet, IPv4Sub, tSalida.addrs)
if sError ~= nil then
stdnse.debug1( "ERROR: One IPv6 subnet wasn't translated")
errors[#errors+1] = sError
end
if IPv6Host then
-- We need to concatenate the new nodes
Grantotal = Grantotal + IPv6Host
end
end
tSalida.Nodos = Grantotal
if #errors > 0 then
tSalida.Error = table.concat(errors, "\n")
end
return true, tSalida
end
---
-- The script need to be working with IPv6
--
--(To bad can't do it with both at same time )
function prerule ()
if not (nmap.address_family() == "inet6") then
stdnse.verbose1("This script is IPv6 only.")
return false
end
-- Because Nmap current limitation of working ONE single IP family we must
-- be sure to have everything for work the Mapped IPv4 to IPv6
if IPv4Sub == nil then
stdnse.verbose1( "There are no IPv4 addresses to map!\z
You must provide it using the %s.IPv4Hosts script-arg.", SCRIPT_NAME)
return false
end
-- Now we need to have based IPv6 Prefix, the most important is the previous
-- known but we have a last-option too .
if IPv6User == nil then
stdnse.verbose1("There are no IPv6 subnets to scan!\z
You must provide it using the targets-ipv6-subnet script-arg.")
return false
end
return true
end
function action ()
--Vars for created the final report
local tOutput = stdnse.output_table()
local bExito = false
local tSalida
bExito, tSalida = Prescanning()
-- Now we adapt the exit to tOutput and add the hosts to the target!
tOutput.warning = tSalida.Error
if bExito then
--Final report of the Debug Lvl of Prescanning
stdnse.debug1("Successful Mapped IPv4 to IPv6 added to the scan: %d",
tSalida.Nodos)
tOutput["node count"] = tSalida.Nodos
tOutput["addresses"] = tSalida.addrs
if tSalida.Error then
stdnse.debug1("Warnings: %s", tSalida.Error)
end
else
stdnse.debug1("Was unable to add nodes to the scan list due this error: %s",
tSalida.Error)
end
return tOutput
end