hacktricks/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md

142 lines
7.2 KiB
Markdown
Raw Normal View History

2024-12-12 10:39:29 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
# IPv6 Basic theory
## Networks
IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:
1. **Network Prefix**: The initial 48 bits, determining the network segment.
2. **Subnet ID**: Following 16 bits, used for defining specific subnets within the network.
3. **Interface Identifier**: The concluding 64 bits, uniquely identifying a device within the subnet.
While IPv6 omits the ARP protocol found in IPv4, it introduces **ICMPv6** with two primary messages:
- **Neighbor Solicitation (NS)**: Multicast messages for address resolution.
- **Neighbor Advertisement (NA)**: Unicast responses to NS or spontaneous announcements.
IPv6 also incorporates special address types:
- **Loopback Address (`::1`)**: Equivalent to IPv4's `127.0.0.1`, for internal communication within the host.
- **Link-Local Addresses (`FE80::/10`)**: For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.
### Practical Usage of IPv6 in Network Commands
To interact with IPv6 networks, you can use various commands:
- **Ping Link-Local Addresses**: Check the presence of local devices using `ping6`.
- **Neighbor Discovery**: Use `ip neigh` to view devices discovered at the link layer.
- **alive6**: An alternative tool for discovering devices on the same network.
Below are some command examples:
```bash
ping6 I eth0 -c 5 ff02::1 > /dev/null 2>&1
ip neigh | grep ^fe80
# Alternatively, use alive6 for neighbor discovery
alive6 eth0
```
IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
## **Deriving Link-local IPv6 from MAC Address**
Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
1. Convert MAC to IPv6 format: **`1234:5678:9abc`**
2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`**
3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`**
## **IPv6 Address Types**
- **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`**
- **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`**
- **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range.
## **Address Prefixes**
- **fe80::/10**: Link-Local addresses (similar to 169.254.x.x)
- **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
- **2000::/3**: Global Unicast
- **ff02::1**: Multicast All Nodes
- **ff02::2**: Multicast Router Nodes
## **Discovering IPv6 Addresses within a Network**
### Way 1: Using Link-local Addresses
1. Obtain the MAC address of a device within the network.
2. Derive the Link-local IPv6 address from the MAC address.
### Way 2: Using Multicast
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
```bash
service ufw stop # Stop the firewall
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
ip -6 neigh # Display the neighbor table
```
## IPv6 Man-in-the-Middle (MitM) Attacks
Several techniques exist for executing MitM attacks in IPv6 networks, such as:
- Spoofing ICMPv6 neighbor or router advertisements.
- Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
- Attacking mobile IPv6 (usually requires IPSec to be disabled).
- Setting up a rogue DHCPv6 server.
# Identifying IPv6 Addresses in the eild
## Exploring Subdomains
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
```bash
site:ipv6./
```
## Utilizing DNS Queries
To identify IPv6 addresses, certain DNS record types can be queried:
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
- **AAAA**: Directly seeks out IPv6 addresses.
- **ANY**: A broad query that returns all available DNS records.
## Probing with Ping6
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
## References
* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}