Add: Host discovery for large IPv6 networks (#2163)

jjnicola · web-flow · commit 0eec9371baef · 2026-03-23T10:44:38.000-03:00
* Add: handle large ipv6 networks

With this patch, the host discovery for large ipv6 networks is introduced together with a new alive test method (int 32).
Instead of creating a host list from an IPv6 network address and mask (e.g. 5858::0/64), which would take years to scan and it woudl consume all the RAM, it just call a new function in gvm-libs to perform an ICMPv6 to a multicast IPv6 address (ff02::1).
Later, the found host are set as target and they will be handle as before. To avoid a double alive test, they are just considered alive.

For now, it only supports only one IPv6 network address. This means it can not be combined with other networks or unicast addresses.

Also, it is required that the local network has ICMPv6 enabled, otherwise the discovery won't work.

* add the new alive method

* remove checks for alive methods

* Add: host discovery for large ipv6 networks for scannerctl rust implementation

To test this, try with the following command

sudo target/debug/scannerctl alivetest --hostdiscovery -t 5858:0:0:0:0:0:1:0/124 -v

Ensure you added the IP and network to your local host and ensure there are other alive hosts in the same network. You can try with subnets as well
diff --git a/rust/Cargo.lock b/rust/Cargo.lock
diff --git a/rust/Cargo.toml b/rust/Cargo.toml
@@ -134,6 +134,7 @@ tar = "0"
 bzip2 = "0"
 zstd = "0"
 rustls-pki-types = { version = "1.14.0", features = ["std"] }
+cidr = "0.3.2"
 
 [workspace]
 members = ["crates/smoketest", "crates/nasl-function-proc-macro"]
diff --git a/rust/crates/greenbone-scanner-framework/src/models/target.rs b/rust/crates/greenbone-scanner-framework/src/models/target.rs
@@ -46,6 +46,7 @@ pub enum AliveTestMethods {
     Arp = 0x04,
     ConsiderAlive = 0x08,
     TcpSyn = 0x10,
+    HostDiscoveryIpv6 = 0x20,
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -62,6 +63,7 @@ impl AsRef<str> for AliveTestMethods {
             AliveTestMethods::Arp => "arp",
             AliveTestMethods::ConsiderAlive => "consider_alive",
             AliveTestMethods::TcpSyn => "tcp_syn",
+            AliveTestMethods::HostDiscoveryIpv6 => "host_discovery_ipv6",
         }
     }
 }
@@ -76,6 +78,7 @@ impl TryFrom<u8> for AliveTestMethods {
             0x04 => Ok(AliveTestMethods::Arp),
             0x08 => Ok(AliveTestMethods::ConsiderAlive),
             0x10 => Ok(AliveTestMethods::TcpSyn),
+            0x20 => Ok(AliveTestMethods::HostDiscoveryIpv6),
             _ => Err(AliveTestMethodsError::InvalidValue(value)),
         }
     }
@@ -88,6 +91,7 @@ impl From<&str> for AliveTestMethods {
             "tcp_syn" => AliveTestMethods::TcpSyn,
             "icmp" => AliveTestMethods::Icmp,
             "arp" => AliveTestMethods::Arp,
+            "host_discovery_ipv6" => AliveTestMethods::HostDiscoveryIpv6,
             _ => AliveTestMethods::ConsiderAlive,
         }
     }
@@ -101,6 +105,7 @@ impl Display for AliveTestMethods {
             AliveTestMethods::Arp => write!(f, "arp"),
             AliveTestMethods::ConsiderAlive => write!(f, "consider_alive"),
             AliveTestMethods::TcpSyn => write!(f, "tcp_ping"),
+            AliveTestMethods::HostDiscoveryIpv6 => write!(f, "host_discovery_ipv6"),
         }
     }
 }
diff --git a/rust/migrations/20260313093612_remove_alive_methods-checks.sql b/rust/migrations/20260313093612_remove_alive_methods-checks.sql
@@ -0,0 +1,8 @@
+DROP TABLE alive_methods;
+ 
+CREATE TABLE alive_methods (
+    id INTEGER,
+    method TEXT DEFAULT 'icmp',
+    PRIMARY KEY (id, method),
+    FOREIGN KEY (id) REFERENCES client_scan_map(id) ON DELETE CASCADE
+);
diff --git a/rust/src/alive_test/alive_test.rs b/rust/src/alive_test/alive_test.rs
@@ -4,7 +4,9 @@
 
 use crate::alive_test::AliveTestError;
 use crate::alive_test::arp::forge_arp_request;
-use crate::alive_test::icmp::{forge_icmp_v4, forge_icmp_v6, forge_neighbor_solicit};
+use crate::alive_test::icmp::{
+    forge_icmp_v4, forge_icmp_v6, forge_icmp_v6_for_host_discovery, forge_neighbor_solicit,
+};
 use crate::nasl::raw_ip_utils::{
     raw_ip_utils::{FIX_IPV6_HEADER_LENGTH, send_v4_packet, send_v6_packet},
     tcp_ping::{FILTER_PORT, forge_tcp_ping_ipv4, forge_tcp_ping_ipv6},
@@ -20,12 +22,14 @@ use pnet::packet::ip::IpNextHeaderProtocols;
 use pnet::packet::ipv6::Ipv6Packet;
 use pnet::packet::tcp::TcpPacket;
 use std::collections::HashSet;
+use std::str::FromStr;
 use std::time::Duration;
 use tokio::sync::mpsc::{self, Receiver, Sender};
 use tokio::time::sleep;
 
 use std::net::IpAddr;
 
+use cidr::Ipv6Cidr;
 use pcap::{Active, Capture, Inactive, PacketCodec, PacketStream};
 use pnet::packet::{
     icmp::{IcmpTypes, *},
@@ -45,7 +49,7 @@ const BITS_PER_BYTE: usize = 8;
 
 struct AliveTestCtlStop;
 
-#[derive(Clone)]
+#[derive(Debug, Clone)]
 struct AliveHostInfo {
     ip: String,
     detectihttp_method: AliveTestMethods,
@@ -142,13 +146,13 @@ fn process_ipv6_packet(packet: &[u8]) -> Result<Option<AliveHostInfo>, AliveTest
             .ok_or_else(|| {
                 AliveTestError::CreateIcmpPacketFromWrongBufferSize(packet[..].len() as i64)
             })?;
-
         let make_alive_host_ctl = |pkt: Ipv6Packet<'_>, method| {
             Ok(Some(AliveHostInfo {
                 ip: pkt.get_source().to_string(),
                 detectihttp_method: method,
             }))
         };
+
         match icmp_pkt.get_icmpv6_type() {
             Icmpv6Types::EchoReply => return make_alive_host_ctl(pkt, AliveTestMethods::Icmp),
             Icmpv6Types::NeighborAdvert => return make_alive_host_ctl(pkt, AliveTestMethods::Arp),
@@ -217,7 +221,7 @@ async fn capture_task(
         tokio::select! {
             packet = stream.next() => { // packet is Option<Result<Box>>
                 if let Some(Ok(data)) = packet && let Ok(Some(alive_host)) = process_packet(&data) {
-                        tx_msg.send(alive_host).await.unwrap()
+                    tx_msg.send(alive_host).await.unwrap()
                 }
             },
             ctl = rx_ctl.recv() => {
@@ -231,13 +235,51 @@ async fn capture_task(
     Ok(())
 }
 
+fn get_host_discovery_ipv6_net(
+    methods: &[AliveTestMethods],
+    target: &HashSet<String>,
+) -> Option<Result<Ipv6Cidr, AliveTestError>> {
+    if methods.contains(&AliveTestMethods::HostDiscoveryIpv6) {
+        if let Some(t) = target.iter().next()
+            && target.len() == 1
+        {
+            return Some(
+                Ipv6Cidr::from_str(t)
+                    .map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string())),
+            );
+        } else {
+            tracing::warn!("Only one IPv6 network address is allowed for host discovery");
+            return Some(Err(AliveTestError::InvalidDestinationAddr(
+                target.iter().next().unwrap().to_string(),
+            )));
+        }
+    }
+    None
+}
+
 async fn send_task(
     methods: Vec<AliveTestMethods>,
     target: HashSet<String>,
     timeout: u64,
     tx_ctl: Sender<AliveTestCtlStop>,
 ) -> Result<(), AliveTestError> {
     let mut count = 0;
+    match get_host_discovery_ipv6_net(&methods, &target) {
+        Some(Ok(dst)) => {
+            let icmp = forge_icmp_v6_for_host_discovery(dst)?;
+            send_v6_packet(icmp)?;
+            tracing::info!("Started host discovery against {}", dst);
+            sleep(Duration::from_millis(timeout)).await;
+            // Send only returns error if the receiver is closed, which only happens when it panics.
+            tx_ctl.send(AliveTestCtlStop).await.unwrap();
+            return Ok(());
+        }
+        Some(Err(e)) => {
+            tx_ctl.send(AliveTestCtlStop).await.unwrap();
+            return Err(e);
+        }
+        None => {}
+    };
 
     let target: HashSet<IpAddr> = target
         .into_iter()
@@ -358,13 +400,18 @@ impl Scanner {
         let capture_handle = tokio::spawn(capture_task(capture_inactive, rx_ctl, tx_msg));
 
         let timeout = self.timeout.unwrap_or((DEFAULT_TIMEOUT * 1000) as u64);
-        let methods = self.methods.clone();
-        let send_handle = tokio::spawn(send_task(methods, trgt, timeout, tx_ctl));
+        let methods_c = self.methods.clone();
+        let send_handle = tokio::spawn(send_task(methods_c, trgt, timeout, tx_ctl));
 
         while let Some(alivehost) = rx_msg.recv().await {
             if self.target.contains(&alivehost.ip) && !alive.contains(&alivehost.ip) {
                 alive.insert(alivehost.ip.clone());
                 println!("{} via {:?}", &alivehost.ip, &alivehost.detectihttp_method);
+            } else if let Some(Ok(dst)) = get_host_discovery_ipv6_net(&self.methods, &self.target)
+                && dst.contains(&alivehost.ip.parse::<std::net::Ipv6Addr>().unwrap())
+            {
+                alive.insert(alivehost.ip.clone());
+                println!("{} via {:?}", &alivehost.ip, &alivehost.detectihttp_method);
             }
         }
 
diff --git a/rust/src/alive_test/icmp.rs b/rust/src/alive_test/icmp.rs
@@ -12,6 +12,7 @@ use crate::nasl::raw_ip_utils::raw_ip_utils::{
     DEFAULT_TTL, FIX_IPV6_HEADER_LENGTH, HEADER_LENGTH, IP_LENGTH, IP_PPRTO_VERSION_IPV4,
     IPPROTO_IPV6,
 };
+use cidr::Ipv6Cidr;
 use pnet::packet::icmpv6::Icmpv6Code;
 use pnet::packet::icmpv6::Icmpv6Type;
 use pnet::packet::icmpv6::ndp::MutableNeighborSolicitPacket;
@@ -84,6 +85,7 @@ fn forge_icmp_v6_packet() -> Vec<u8> {
 
 fn forge_ipv6_packet_for_icmp(
     icmp_buf: &mut [u8],
+    src: Ipv6Addr,
     dst: Ipv6Addr,
 ) -> Result<Ipv6Packet<'static>, AliveTestError> {
     let icmp_buf_len = icmp_buf.len();
@@ -94,10 +96,9 @@ fn forge_ipv6_packet_for_icmp(
 
     pkt.set_next_header(IpNextHeaderProtocols::Icmpv6);
     pkt.set_hop_limit(DEFAULT_TTL);
-    pkt.set_source(
-        get_source_ipv6(dst).map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?,
-    );
+
     pkt.set_destination(dst);
+    pkt.set_source(src);
     pkt.set_version(IPPROTO_IPV6);
     let icmp_buf_len = icmp_buf.len() as i64;
     let mut icmp_pkt = packet::icmpv6::MutableIcmpv6Packet::new(icmp_buf).ok_or(
@@ -118,6 +119,25 @@ fn forge_ipv6_packet_for_icmp(
     Ok(Ipv6Packet::owned(ip_buf).unwrap())
 }
 
+pub fn forge_icmp_v6_for_host_discovery(
+    dst: Ipv6Cidr,
+) -> Result<Ipv6Packet<'static>, AliveTestError> {
+    let mut icmp_buf = forge_icmp_v6_packet();
+    let dst = dst.first().next().unwrap().address(); // first is the network address. We need the host.
+    let src =
+        get_source_ipv6(dst).map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?;
+    let dst = "ff02::1".parse::<Ipv6Addr>().unwrap();
+    forge_ipv6_packet_for_icmp(&mut icmp_buf, src, dst)
+}
+
+pub fn forge_icmp_v6(dst: Ipv6Addr) -> Result<Ipv6Packet<'static>, AliveTestError> {
+    let mut icmp_buf = forge_icmp_v6_packet();
+    let src =
+        get_source_ipv6(dst).map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?;
+
+    forge_ipv6_packet_for_icmp(&mut icmp_buf, src, dst)
+}
+
 pub fn forge_neighbor_solicit(dst_ip: Ipv6Addr) -> Result<Ipv6Packet<'static>, AliveTestError> {
     let mut icmp_buf = vec![0; MutableNeighborSolicitPacket::minimum_packet_size()];
     let mut icmp_pkt = MutableNeighborSolicitPacket::new(&mut icmp_buf).unwrap();
@@ -127,10 +147,7 @@ pub fn forge_neighbor_solicit(dst_ip: Ipv6Addr) -> Result<Ipv6Packet<'static>, A
     icmp_pkt.set_icmpv6_code(Icmpv6Code::new(0u8));
     icmp_pkt.set_target_addr(dst_ip);
 
-    forge_ipv6_packet_for_icmp(&mut icmp_pkt.packet().to_vec(), dst_ip)
-}
-
-pub fn forge_icmp_v6(dst: Ipv6Addr) -> Result<Ipv6Packet<'static>, AliveTestError> {
-    let mut icmp_buf = forge_icmp_v6_packet();
-    forge_ipv6_packet_for_icmp(&mut icmp_buf, dst)
+    let src = get_source_ipv6(dst_ip)
+        .map_err(|e| AliveTestError::InvalidDestinationAddr(e.to_string()))?;
+    forge_ipv6_packet_for_icmp(&mut icmp_pkt.packet().to_vec(), src, dst_ip)
 }
diff --git a/rust/src/openvas/pref_handler.rs b/rust/src/openvas/pref_handler.rs
@@ -140,7 +140,6 @@ where
 
     async fn prepare_plugins_for_openvas(&mut self) -> RedisStorageResult<()> {
         let nvts = &self.scan_config.vts;
-
         if nvts.is_empty() {
             return Ok(());
         }
@@ -270,7 +269,7 @@ where
             alive_test |= m as u8;
         }
 
-        if (1..=31).contains(&alive_test) {
+        if (1..=32).contains(&alive_test) {
             self.redis_connector.push_kb_item(
                 format!("internal/{}/scanprefs", self.scan_config.scan_id.clone()).as_str(),
                 format!("{BOREAS_ALIVE_TEST}|||{alive_test}"),
diff --git a/rust/src/scannerctl/alivetest/mod.rs b/rust/src/scannerctl/alivetest/mod.rs
@@ -38,6 +38,9 @@ pub struct AliveTestArgs {
     /// ARP ping. Supports both IPv4 and IPv6.
     #[clap(long, action=ArgAction::SetTrue)]
     arp: bool,
+    /// Host discovery for large IPv6 network. Only one address network at time is possible and not to be combined with other alive methods.
+    #[clap(long, action=ArgAction::SetTrue)]
+    hostdiscovery: bool,
 }
 
 pub async fn run(args: AliveTestArgs) -> Result<(), CliError> {
@@ -62,6 +65,11 @@ pub async fn run(args: AliveTestArgs) -> Result<(), CliError> {
         methods.push(AliveTestMethods::Arp);
     }
 
+    if args.hostdiscovery {
+        methods.clear();
+        methods.push(AliveTestMethods::HostDiscoveryIpv6);
+    }
+
     if args.icmp || methods.is_empty() {
         methods.push(AliveTestMethods::Icmp);
     }
diff --git a/rust/src/scannerctl/osp/start_scan.rs b/rust/src/scannerctl/osp/start_scan.rs
@@ -217,6 +217,7 @@ impl Serialize for Target {
                     models::AliveTestMethods::Arp => ("arp", "1"),
                     models::AliveTestMethods::ConsiderAlive => ("consider_alive", "1"),
                     models::AliveTestMethods::TcpSyn => ("tcp_sync", "1"),
+                    models::AliveTestMethods::HostDiscoveryIpv6 => ("host_discovery_ipv6", "1"),
                 })
                 .collect();
             if !fields.is_empty() {
diff --git a/src/attack.c b/src/attack.c
@@ -40,6 +40,7 @@
 #include <gvm/base/prefs.h>            /* for prefs_get() */
 #include <gvm/boreas/alivedetection.h> /* for start_alive_detection() */
 #include <gvm/boreas/boreas_io.h>      /* for get_host_from_queue() */
+#include <gvm/boreas/cli.h>            /* for ipv6 host discovery */
 #include <gvm/util/mqtt.h>
 #include <gvm/util/nvticache.h> /* for nvticache_t */
 #include <pthread.h>
@@ -1197,7 +1198,26 @@ attack_network (struct scan_globals *globals)
       return error;
     }
   /* Init and check Target List */
-  hostlist = prefs_get ("TARGET");
+#ifdef FEATURE_HOST_DISCOVERY_IPV6
+  alive_test_t alive_test;
+  const char *target_aux = prefs_get ("TARGET");
+  char *host_found = "";
+
+  get_alive_test_methods (&alive_test);
+  if (alive_test == 32)
+    {
+      int print_results = 0;
+      run_cli_for_ipv6_network (target_aux, &host_found, print_results);
+      hostlist = host_found;
+      // Consider alive the found hosts, to avoid double check later
+      prefs_set("ALIVE_TEST", "8");
+    }
+  else
+#endif /* FEATURE_HOST_DISCOVERY_IPV6 */
+    {
+      hostlist = prefs_get ("TARGET");
+    }
+
   if (hostlist == NULL)
     {
       error = -1;

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ pub enum AliveTestMethods {`
`46`	`46`	`Arp = 0x04,`
`47`	`47`	`ConsiderAlive = 0x08,`
`48`	`48`	`TcpSyn = 0x10,`
	`49`	`+ HostDiscoveryIpv6 = 0x20,`
`49`	`50`	`}`
`50`	`51`
`51`	`52`	`#[derive(Debug, thiserror::Error)]`
`@@ -62,6 +63,7 @@ impl AsRef<str> for AliveTestMethods {`
`62`	`63`	`AliveTestMethods::Arp => "arp",`
`63`	`64`	`AliveTestMethods::ConsiderAlive => "consider_alive",`
`64`	`65`	`AliveTestMethods::TcpSyn => "tcp_syn",`
	`66`	`+ AliveTestMethods::HostDiscoveryIpv6 => "host_discovery_ipv6",`
`65`	`67`	`}`
`66`	`68`	`}`
`67`	`69`	`}`
`@@ -76,6 +78,7 @@ impl TryFrom<u8> for AliveTestMethods {`
`76`	`78`	`0x04 => Ok(AliveTestMethods::Arp),`
`77`	`79`	`0x08 => Ok(AliveTestMethods::ConsiderAlive),`
`78`	`80`	`0x10 => Ok(AliveTestMethods::TcpSyn),`
	`81`	`+ 0x20 => Ok(AliveTestMethods::HostDiscoveryIpv6),`
`79`	`82`	`_ => Err(AliveTestMethodsError::InvalidValue(value)),`
`80`	`83`	`}`
`81`	`84`	`}`
`@@ -88,6 +91,7 @@ impl From<&str> for AliveTestMethods {`
`88`	`91`	`"tcp_syn" => AliveTestMethods::TcpSyn,`
`89`	`92`	`"icmp" => AliveTestMethods::Icmp,`
`90`	`93`	`"arp" => AliveTestMethods::Arp,`
	`94`	`+ "host_discovery_ipv6" => AliveTestMethods::HostDiscoveryIpv6,`
`91`	`95`	`_ => AliveTestMethods::ConsiderAlive,`
`92`	`96`	`}`
`93`	`97`	`}`
`@@ -101,6 +105,7 @@ impl Display for AliveTestMethods {`
`101`	`105`	`AliveTestMethods::Arp => write!(f, "arp"),`
`102`	`106`	`AliveTestMethods::ConsiderAlive => write!(f, "consider_alive"),`
`103`	`107`	`AliveTestMethods::TcpSyn => write!(f, "tcp_ping"),`
	`108`	`+ AliveTestMethods::HostDiscoveryIpv6 => write!(f, "host_discovery_ipv6"),`
`104`	`109`	`}`
`105`	`110`	`}`
`106`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,6 @@ where`
`140`	`140`
`141`	`141`	`async fn prepare_plugins_for_openvas(&mut self) -> RedisStorageResult<()> {`
`142`	`142`	`let nvts = &self.scan_config.vts;`
`143`		`-`
`144`	`143`	`if nvts.is_empty() {`
`145`	`144`	`return Ok(());`
`146`	`145`	`}`
`@@ -270,7 +269,7 @@ where`
`270`	`269`	`alive_test \|= m as u8;`
`271`	`270`	`}`
`272`	`271`
`273`		`- if (1..=31).contains(&alive_test) {`
	`272`	`+ if (1..=32).contains(&alive_test) {`
`274`	`273`	`self.redis_connector.push_kb_item(`
`275`	`274`	`format!("internal/{}/scanprefs", self.scan_config.scan_id.clone()).as_str(),`
`276`	`275`	`format!("{BOREAS_ALIVE_TEST}\|\|\|{alive_test}"),`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,9 @@ pub struct AliveTestArgs {`
`38`	`38`	`/// ARP ping. Supports both IPv4 and IPv6.`
`39`	`39`	`#[clap(long, action=ArgAction::SetTrue)]`
`40`	`40`	`arp: bool,`
	`41`	`+ /// Host discovery for large IPv6 network. Only one address network at time is possible and not to be combined with other alive methods.`
	`42`	`+ #[clap(long, action=ArgAction::SetTrue)]`
	`43`	`+ hostdiscovery: bool,`
`41`	`44`	`}`
`42`	`45`
`43`	`46`	`pub async fn run(args: AliveTestArgs) -> Result<(), CliError> {`
`@@ -62,6 +65,11 @@ pub async fn run(args: AliveTestArgs) -> Result<(), CliError> {`
`62`	`65`	`methods.push(AliveTestMethods::Arp);`
`63`	`66`	`}`
`64`	`67`
	`68`	`+ if args.hostdiscovery {`
	`69`	`+ methods.clear();`
	`70`	`+ methods.push(AliveTestMethods::HostDiscoveryIpv6);`
	`71`	`+ }`
	`72`	`+`
`65`	`73`	`if args.icmp \|\| methods.is_empty() {`
`66`	`74`	`methods.push(AliveTestMethods::Icmp);`
`67`	`75`	`}`