hacktricks/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


# IPv6 Basic theory

## Networks

IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:

1. **Network Prefix**: The initial 48 bits, determining the network segment.
2. **Subnet ID**: Following 16 bits, used for defining specific subnets within the network.
3. **Interface Identifier**: The concluding 64 bits, uniquely identifying a device within the subnet.

While IPv6 omits the ARP protocol found in IPv4, it introduces **ICMPv6** with two primary messages:
- **Neighbor Solicitation (NS)**: Multicast messages for address resolution.
- **Neighbor Advertisement (NA)**: Unicast responses to NS or spontaneous announcements.

IPv6 also incorporates special address types:
- **Loopback Address (`::1`)**: Equivalent to IPv4's `127.0.0.1`, for internal communication within the host.
- **Link-Local Addresses (`FE80::/10`)**: For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.

### Practical Usage of IPv6 in Network Commands

To interact with IPv6 networks, you can use various commands:
- **Ping Link-Local Addresses**: Check the presence of local devices using `ping6`.
- **Neighbor Discovery**: Use `ip neigh` to view devices discovered at the link layer.
- **alive6**: An alternative tool for discovering devices on the same network.

Below are some command examples:

```bash
ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
ip neigh | grep ^fe80

# Alternatively, use alive6 for neighbor discovery
alive6 eth0
```

IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.

## **Deriving Link-local IPv6 from MAC Address**

Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:

1. Convert MAC to IPv6 format: **`1234:5678:9abc`**
2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`**
3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`**

## **IPv6 Address Types**

- **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`**
- **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`**
- **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range.

## **Address Prefixes**
- **fe80::/10**: Link-Local addresses (similar to 169.254.x.x)
- **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
- **2000::/3**: Global Unicast
- **ff02::1**: Multicast All Nodes
- **ff02::2**: Multicast Router Nodes

## **Discovering IPv6 Addresses within a Network**

### Way 1: Using Link-local Addresses
1. Obtain the MAC address of a device within the network.
2. Derive the Link-local IPv6 address from the MAC address.

### Way 2: Using Multicast
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.

```bash
service ufw stop # Stop the firewall
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
ip -6 neigh # Display the neighbor table
```

## IPv6 Man-in-the-Middle (MitM) Attacks
Several techniques exist for executing MitM attacks in IPv6 networks, such as:

- Spoofing ICMPv6 neighbor or router advertisements.
- Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
- Attacking mobile IPv6 (usually requires IPSec to be disabled).
- Setting up a rogue DHCPv6 server.


# Identifying IPv6 Addresses in the eild

## Exploring Subdomains
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:

```bash
site:ipv6./
```

## Utilizing DNS Queries
To identify IPv6 addresses, certain DNS record types can be queried:
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
- **AAAA**: Directly seeks out IPv6 addresses.
- **ANY**: A broad query that returns all available DNS records.

## Probing with Ping6
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.


## References

* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)


{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}