← Back to context

Comment by nottorp

3 days ago

> to exhaustively enumerate every single publicly accessible server on your entire network

Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...

3 comments

nottorp

Reply
Dagger2  3 days ago

That's what I meant. On v4, it's trivial to find every server that can be reached from the Internet, whether it was intentional or not. It's not so trivial on v6.

  • immibis  2 days ago

    Note that V6 is easier to scan than some people assume. You don't have to scan all 2^128 addresses - you can look at provider address blocks in the registry, and make an assumption (or try it and see) what size block that provider assigns to each server, and then guess the server is ::1 or ::2 in each block. This isn't an exhaustive scan, but you'll find a lot of services this way anyway.

    • Dagger2  2 days ago

      You can also e.g. monitor certificate transparency logs for hostnames. But the difference is that without NAT, knowing about one server on the network doesn't automatically give you the IP for every other accessible server on the same network. You have to actually try host IPs one by one instead of the router kindly filling that part in for you.