mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-05 01:38:51 +00:00
142 lines
7.2 KiB
Markdown
142 lines
7.2 KiB
Markdown
|
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
|
|||
|
# IPv6 Basic theory
|
|||
|
|
|||
|
## Networks
|
|||
|
|
|||
|
IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:
|
|||
|
|
|||
|
1. **Network Prefix**: The initial 48 bits, determining the network segment.
|
|||
|
2. **Subnet ID**: Following 16 bits, used for defining specific subnets within the network.
|
|||
|
3. **Interface Identifier**: The concluding 64 bits, uniquely identifying a device within the subnet.
|
|||
|
|
|||
|
While IPv6 omits the ARP protocol found in IPv4, it introduces **ICMPv6** with two primary messages:
|
|||
|
- **Neighbor Solicitation (NS)**: Multicast messages for address resolution.
|
|||
|
- **Neighbor Advertisement (NA)**: Unicast responses to NS or spontaneous announcements.
|
|||
|
|
|||
|
IPv6 also incorporates special address types:
|
|||
|
- **Loopback Address (`::1`)**: Equivalent to IPv4's `127.0.0.1`, for internal communication within the host.
|
|||
|
- **Link-Local Addresses (`FE80::/10`)**: For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.
|
|||
|
|
|||
|
### Practical Usage of IPv6 in Network Commands
|
|||
|
|
|||
|
To interact with IPv6 networks, you can use various commands:
|
|||
|
- **Ping Link-Local Addresses**: Check the presence of local devices using `ping6`.
|
|||
|
- **Neighbor Discovery**: Use `ip neigh` to view devices discovered at the link layer.
|
|||
|
- **alive6**: An alternative tool for discovering devices on the same network.
|
|||
|
|
|||
|
Below are some command examples:
|
|||
|
|
|||
|
```bash
|
|||
|
ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
|
|||
|
ip neigh | grep ^fe80
|
|||
|
|
|||
|
# Alternatively, use alive6 for neighbor discovery
|
|||
|
alive6 eth0
|
|||
|
```
|
|||
|
|
|||
|
IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
|
|||
|
|
|||
|
## **Deriving Link-local IPv6 from MAC Address**
|
|||
|
|
|||
|
Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
|
|||
|
|
|||
|
1. Convert MAC to IPv6 format: **`1234:5678:9abc`**
|
|||
|
2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`**
|
|||
|
3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`**
|
|||
|
|
|||
|
## **IPv6 Address Types**
|
|||
|
|
|||
|
- **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`**
|
|||
|
- **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`**
|
|||
|
- **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range.
|
|||
|
|
|||
|
## **Address Prefixes**
|
|||
|
- **fe80::/10**: Link-Local addresses (similar to 169.254.x.x)
|
|||
|
- **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
|
|||
|
- **2000::/3**: Global Unicast
|
|||
|
- **ff02::1**: Multicast All Nodes
|
|||
|
- **ff02::2**: Multicast Router Nodes
|
|||
|
|
|||
|
## **Discovering IPv6 Addresses within a Network**
|
|||
|
|
|||
|
### Way 1: Using Link-local Addresses
|
|||
|
1. Obtain the MAC address of a device within the network.
|
|||
|
2. Derive the Link-local IPv6 address from the MAC address.
|
|||
|
|
|||
|
### Way 2: Using Multicast
|
|||
|
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
|
|||
|
|
|||
|
```bash
|
|||
|
service ufw stop # Stop the firewall
|
|||
|
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
|
|||
|
ip -6 neigh # Display the neighbor table
|
|||
|
```
|
|||
|
|
|||
|
## IPv6 Man-in-the-Middle (MitM) Attacks
|
|||
|
Several techniques exist for executing MitM attacks in IPv6 networks, such as:
|
|||
|
|
|||
|
- Spoofing ICMPv6 neighbor or router advertisements.
|
|||
|
- Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
|
|||
|
- Attacking mobile IPv6 (usually requires IPSec to be disabled).
|
|||
|
- Setting up a rogue DHCPv6 server.
|
|||
|
|
|||
|
|
|||
|
# Identifying IPv6 Addresses in the eild
|
|||
|
|
|||
|
## Exploring Subdomains
|
|||
|
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
|
|||
|
|
|||
|
```bash
|
|||
|
site:ipv6./
|
|||
|
```
|
|||
|
|
|||
|
## Utilizing DNS Queries
|
|||
|
To identify IPv6 addresses, certain DNS record types can be queried:
|
|||
|
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
|
|||
|
- **AAAA**: Directly seeks out IPv6 addresses.
|
|||
|
- **ANY**: A broad query that returns all available DNS records.
|
|||
|
|
|||
|
## Probing with Ping6
|
|||
|
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
|
|||
|
|
|||
|
|
|||
|
## References
|
|||
|
|
|||
|
* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
|
|||
|
* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
|
|||
|
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
|