mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-04 17:28:52 +00:00
99 lines
7.2 KiB
Markdown
99 lines
7.2 KiB
Markdown
<details> <summary><strong>Support HackTricks and get benefits!</strong></summary> Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** </details>
|
||
# Pentesting IPv6
|
||
|
||
## IPv6 Basic theory
|
||
|
||
### Networks
|
||
|
||
In an IPv6 address, the **first 48 bits are the network prefix**. The **next 16 bits are the subnet ID** and are used for defining subnets. The last **64 bits are the interface identifier** (which is also known as the Interface ID or the Device ID, is for devices). If necessary, the bits that are normally reserved for the Device ID can be used for additional subnet masking.
|
||
|
||
There is not ARP in IPv6. Instead, there is **ICMPv6 NS (Neighbor Solicitation) and NA (Neighbor Advertisement)**. The **NS** is used to resolve and address, so it sends **multicast** packets. The **NA** is **unicast** as is used to answer the NS. A NA packet could also be sent without needing a NS packet.
|
||
|
||
**0:0:0:0:0:0:0:1** = 1 (`::1` for short) – This is 127.0.0.1 equivalent in IPv4.
|
||
|
||
**Link-local Addresses:** These are private address that is not meant to be routed on the internet. They can be used locally by private or temporary LANs for sharing and distribution of file among devices on the LAN. Other devices in your local LAN using this kind of addresses can be found sending a ping to the multicast address ff02::01\
|
||
**FE80::/10** – Link-local unicast address range.
|
||
|
||
```bash
|
||
ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
|
||
ip neigh | grep ^fe80
|
||
|
||
#Or you could also use
|
||
alive6 eth0
|
||
```
|
||
|
||
If you **know the MAC address of a host in the same net** as you (you could just ping its ipv4 address and view the arp table to found its MAC address), you can calculate his Link-local address to communicate with him.\
|
||
Suppose the **MAC address** is **`12:34:56:78:9a:bc`**
|
||
|
||
1. To IPv6 notation: **`1234:5678:9abc`**
|
||
2. Append `fe80::` at the begging and Insert `fffe` in the middle: **`fe80::`**`1234:56`**`ff:fe`**`78:9abc`
|
||
3. Invert seventh bit from the left, from 0001 0010 to 0001 0000: `fe80::1`**`0`**`34:5678:9abc`
|
||
4. `fe80::1034:5678:9abc`
|
||
|
||
**Unique local address:** This type of ipv6 address also not intended to be routed on the public internet. Unique local is a replacement of site-local address, that allows communication within a site while being routable to a multiple local networks.\
|
||
**FEC00::/7** – The unique local address range.
|
||
|
||
**Multicast Address:** This can also be refered to as One-to-Many. Packets addressed to multicast address are delivered to all interface identified by the multicast address. Multicast address types are easily notable because they normally begins with FF.\
|
||
**FF00::/8** – The multicast range.
|
||
|
||
**Anycast:** This form of ipv6 address is similar to the multicast address with a slight difference. Anycast address can also be refered to as One to Nearest. It can be used to address packets meant for multiple interfaces; but usually it sends packets to the first interface it finds as defined in the routing distance. This means it send packets to the closest interface as determined by routing protocols.\
|
||
**20000::/3** – The global unicast address range.
|
||
|
||
fe80::/10--> Unique Link-Local (169.254.x.x) \[fe80:0000:0000:0000:0000:0000:0000:0000,febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]\
|
||
fc00::/7 --> Unique Local-Unicast (10.x.x.x, 172.16.x.x, 192.168.x.x) \[]\
|
||
2000::/3 --> Global Unicast\
|
||
ff02::1 --> Multicast All Nodes\
|
||
ff02::2 --> Multicast Router Nodes
|
||
|
||
### **Guess the IPv6 of a machine**
|
||
|
||
**Way 1**
|
||
|
||
The IPv6 of fe80::/10 are based on the MAC. If you have the IPv6 of a device inside a network and you want to guess the IPv6 of another device of the network, you can get its MAC address using a ping (inside the arp table).
|
||
|
||
**Way2**
|
||
|
||
You can send a ping6 to the multicast and get the IPv6 address inside the arp table.
|
||
|
||
```bash
|
||
service ufw stop #Stop firewall
|
||
ping6 -I <IFACE> ff02::1 #You could also make: ping6 -I <IPV6> ff02::1 if you want to make a ping to a specific IP Address
|
||
ip -6 neigh
|
||
alive6
|
||
use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement; set INTERFACE eth1; run
|
||
```
|
||
|
||
## IPv6 MitM
|
||
|
||
Man in the middle with spoofed ICMPv6 neighbor advertisement.
|
||
|
||
* Man in the middle with spoofed ICMPv6 router advertisement.
|
||
* Man in the middle using ICMPv6 redirect or ICMPv6 too big to implant route.
|
||
* Man in the middle to attack mobile IPv6 but requires ipsec to be disabled.
|
||
* Man in the middle with rogue DHCPv6 server
|
||
|
||
|
||
|
||
## Discovering IPv6 addresses in the wild
|
||
|
||
### Sudomains
|
||
|
||
You can use google and other browsers to search for subdomains like "ipv6.\*"
|
||
|
||
```bash
|
||
site:ipv6./
|
||
```
|
||
|
||
### DNS
|
||
|
||
You could also try to search "**AXFR**"(zone transfer), "**AAAA**"(IPv6) or even "**ANY**" (all) registry in DNS to find IPv6 addresses.
|
||
|
||
### Ping6
|
||
|
||
Once some IPv6 devices of an organisation have been found, you could try to use `ping6` to check nearby addresses.
|
||
|
||
## References
|
||
|
||
* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
|
||
* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
|
||
<details> <summary><strong>Support HackTricks and get benefits!</strong></summary> Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** </details>
|