Hostname Correlation Based IPv6 Address Fast Scanning Technology of Windows Nodes

Abstract

Rapid and accurate scanning of alive addresses within the IPv6 intranet is the basis and premise of IPv6 network asset management and security maintenance. Although existing IPv6 address scanning technologies are able to detect some IPv6 global unicast addresses and link-local addresses of Windows nodes, there are still some deficiencies, such as the incomplete scanning results of Windows nodes and the low hit rates. Aims at solving the above deficiencies, this paper explores a new idea to improve the IPv6 address scanning effectiveness based on the correlation of IPv4/IPv6 dual-stack nodes for the first time. A hostname correlation-based IPv6 address fast scanning technology of Windows nodes is proposed, which firstly obtains IPv4 alive addresses via the ARP scanning, then uses NBNS protocol to obtain hostnames of these IPv4 hosts, and finally queries their IPv6 addresses corresponding to these hostnames through the mDNS protocol. A typical IPv6 intranet environment composed of 4 different OS-version Windows nodes (including Windows 11 and Windows Server 2019) is built for testing. Compared with the 4 Nmap scripts of IPv6 intranet address scanning, the LinkScan6, which is implemented by using this proposed technology, can detect at least 6 more IPv6 addresses than Nmap scripts, and increase at least 2 more IPv6 address types on a single node than Nmap scripts. Moreover, the number of Windows versions obtained by the LinkScan6 is 4 more than 3 out of 4 Nmap scripts.