mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			142 lines
		
	
	
		
			7.2 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			142 lines
		
	
	
		
			7.2 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| 
 | ||
| 
 | ||
| {% hint style="success" %}
 | ||
| Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 | ||
| Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | ||
| 
 | ||
| <details>
 | ||
| 
 | ||
| <summary>Support HackTricks</summary>
 | ||
| 
 | ||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | ||
| 
 | ||
| </details>
 | ||
| {% endhint %}
 | ||
| 
 | ||
| 
 | ||
| # IPv6 Basic theory
 | ||
| 
 | ||
| ## Networks
 | ||
| 
 | ||
| IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:
 | ||
| 
 | ||
| 1. **Network Prefix**: The initial 48 bits, determining the network segment.
 | ||
| 2. **Subnet ID**: Following 16 bits, used for defining specific subnets within the network.
 | ||
| 3. **Interface Identifier**: The concluding 64 bits, uniquely identifying a device within the subnet.
 | ||
| 
 | ||
| While IPv6 omits the ARP protocol found in IPv4, it introduces **ICMPv6** with two primary messages:
 | ||
| - **Neighbor Solicitation (NS)**: Multicast messages for address resolution.
 | ||
| - **Neighbor Advertisement (NA)**: Unicast responses to NS or spontaneous announcements.
 | ||
| 
 | ||
| IPv6 also incorporates special address types:
 | ||
| - **Loopback Address (`::1`)**: Equivalent to IPv4's `127.0.0.1`, for internal communication within the host.
 | ||
| - **Link-Local Addresses (`FE80::/10`)**: For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.
 | ||
| 
 | ||
| ### Practical Usage of IPv6 in Network Commands
 | ||
| 
 | ||
| To interact with IPv6 networks, you can use various commands:
 | ||
| - **Ping Link-Local Addresses**: Check the presence of local devices using `ping6`.
 | ||
| - **Neighbor Discovery**: Use `ip neigh` to view devices discovered at the link layer.
 | ||
| - **alive6**: An alternative tool for discovering devices on the same network.
 | ||
| 
 | ||
| Below are some command examples:
 | ||
| 
 | ||
| ```bash
 | ||
| ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
 | ||
| ip neigh | grep ^fe80
 | ||
| 
 | ||
| # Alternatively, use alive6 for neighbor discovery
 | ||
| alive6 eth0
 | ||
| ```
 | ||
| 
 | ||
| IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
 | ||
| 
 | ||
| ## **Deriving Link-local IPv6 from MAC Address**
 | ||
| 
 | ||
| Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
 | ||
| 
 | ||
| 1. Convert MAC to IPv6 format: **`1234:5678:9abc`**
 | ||
| 2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`**
 | ||
| 3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`**
 | ||
| 
 | ||
| ## **IPv6 Address Types**
 | ||
| 
 | ||
| - **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`**
 | ||
| - **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`**
 | ||
| - **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range.
 | ||
| 
 | ||
| ## **Address Prefixes**
 | ||
| - **fe80::/10**: Link-Local addresses (similar to 169.254.x.x)
 | ||
| - **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
 | ||
| - **2000::/3**: Global Unicast
 | ||
| - **ff02::1**: Multicast All Nodes
 | ||
| - **ff02::2**: Multicast Router Nodes
 | ||
| 
 | ||
| ## **Discovering IPv6 Addresses within a Network**
 | ||
| 
 | ||
| ### Way 1: Using Link-local Addresses
 | ||
| 1. Obtain the MAC address of a device within the network.
 | ||
| 2. Derive the Link-local IPv6 address from the MAC address.
 | ||
| 
 | ||
| ### Way 2: Using Multicast
 | ||
| 1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
 | ||
| 
 | ||
| ```bash
 | ||
| service ufw stop # Stop the firewall
 | ||
| ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
 | ||
| ip -6 neigh # Display the neighbor table
 | ||
| ```
 | ||
| 
 | ||
| ## IPv6 Man-in-the-Middle (MitM) Attacks
 | ||
| Several techniques exist for executing MitM attacks in IPv6 networks, such as:
 | ||
| 
 | ||
| - Spoofing ICMPv6 neighbor or router advertisements.
 | ||
| - Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
 | ||
| - Attacking mobile IPv6 (usually requires IPSec to be disabled).
 | ||
| - Setting up a rogue DHCPv6 server.
 | ||
| 
 | ||
| 
 | ||
| # Identifying IPv6 Addresses in the eild
 | ||
| 
 | ||
| ## Exploring Subdomains
 | ||
| A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
 | ||
| 
 | ||
| ```bash
 | ||
| site:ipv6./
 | ||
| ```
 | ||
| 
 | ||
| ## Utilizing DNS Queries
 | ||
| To identify IPv6 addresses, certain DNS record types can be queried:
 | ||
| - **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
 | ||
| - **AAAA**: Directly seeks out IPv6 addresses.
 | ||
| - **ANY**: A broad query that returns all available DNS records.
 | ||
| 
 | ||
| ## Probing with Ping6
 | ||
| After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
 | ||
| 
 | ||
| 
 | ||
| ## References
 | ||
| 
 | ||
| * [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
 | ||
| * [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
 | ||
| 
 | ||
| 
 | ||
| {% hint style="success" %}
 | ||
| Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 | ||
| Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | ||
| 
 | ||
| <details>
 | ||
| 
 | ||
| <summary>Support HackTricks</summary>
 | ||
| 
 | ||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | ||
| 
 | ||
| </details>
 | ||
| {% endhint %}
 | ||
| 
 | ||
| 
 |