maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1237 from HackTricks-wiki/update_Practical_Guide_to_IPv6_Attacks_in_a_Local_Network_20250804_124606

Browse Source 
Practical Guide to IPv6 Attacks in a Local Network
This commit is contained in:
SirBroccoli 2025-08-20 12:02:07 +02:00 committed by GitHub
commit 1610ada7a5
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
View File

@ -241,6 +241,35 @@ sudo ip6tables -A FORWARD -i eth0 -j ACCEPT
sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
#### Router Advertisement Flags (M/O) & Default Router Preference (Prf)
| Flag | Meaning | Effect on Client Behaviour |
|------|---------|----------------------------|
| **M (Managed Address Configuration)** | When set to `1` the host MUST use **DHCPv6** to obtain its IPv6 address. | Whole addressing comes from DHCPv6 perfect for *mitm6* style poisoning. |
| **O (Other Configuration)** | When set to `1` the host should use **DHCPv6** only to obtain *other* information (DNS, NTP, …). | Address still via SLAAC, but DNS can be hijacked with DHCPv6. |
| **M=0 / O=0** | Pure SLAAC network. | Only RA / RDNSS tricks are possible DHCPv6 wont be sent by clients. |
| **M=1 / O=1** | Mixed environment. | Both DHCPv6 and SLAAC are used; the surface for spoofing is the largest. |
During a pentest you can simply inspect the legitimate RA once and decide which vector is feasible:
```bash
sudo tcpdump -vvv -i eth0 'icmp6 && ip6[40] == 134' # capture Router Advertisements
```
Look for the `flags [M,O]` field in the dump no guessing required.
The **Prf** (Router Preference) field inside the RA header controls how attractive your rogue router looks when *multiple* gateways are present:
| Prf value | Binary | Meaning |
|-----------|--------|---------|
| **High** | `10` | Clients prefer this router over any *Medium*/*Low* one |
| Medium (default) | `01` | Used by almost every legitimate device |
| Low | `00` | Chosen only when no better router exists |
When generating the packet with Scapy you can set it through the `prf` parameter as shown above (`prf=0x1` → High). Combining **High Prf**, a **short interval**, and a **non-zero lifetime** makes your rogue gateway remarkably stable.
---
### RDNSS (DNS) Spoofing via RA
[RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA. Modern OSes (Win 10 ≥1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it:
@ -296,6 +325,7 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning
- [RFC 8106 IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106)
- [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
- [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
- [Practical Guide to IPv6 Attacks in a Local Network](https://habr.com/ru/articles/930526/)
{{#include ../../banners/hacktricks-training.md}}