mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 11:03:24 +00:00
141 lines
7.2 KiB
Markdown
141 lines
7.2 KiB
Markdown
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
|
||
# IPv6 Basic theory
|
||
|
||
## Networks
|
||
|
||
IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:
|
||
|
||
1. **Network Prefix**: The initial 48 bits, determining the network segment.
|
||
2. **Subnet ID**: Following 16 bits, used for defining specific subnets within the network.
|
||
3. **Interface Identifier**: The concluding 64 bits, uniquely identifying a device within the subnet.
|
||
|
||
While IPv6 omits the ARP protocol found in IPv4, it introduces **ICMPv6** with two primary messages:
|
||
- **Neighbor Solicitation (NS)**: Multicast messages for address resolution.
|
||
- **Neighbor Advertisement (NA)**: Unicast responses to NS or spontaneous announcements.
|
||
|
||
IPv6 also incorporates special address types:
|
||
- **Loopback Address (`::1`)**: Equivalent to IPv4's `127.0.0.1`, for internal communication within the host.
|
||
- **Link-Local Addresses (`FE80::/10`)**: For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.
|
||
|
||
### Practical Usage of IPv6 in Network Commands
|
||
|
||
To interact with IPv6 networks, you can use various commands:
|
||
- **Ping Link-Local Addresses**: Check the presence of local devices using `ping6`.
|
||
- **Neighbor Discovery**: Use `ip neigh` to view devices discovered at the link layer.
|
||
- **alive6**: An alternative tool for discovering devices on the same network.
|
||
|
||
Below are some command examples:
|
||
|
||
```bash
|
||
ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
|
||
ip neigh | grep ^fe80
|
||
|
||
# Alternatively, use alive6 for neighbor discovery
|
||
alive6 eth0
|
||
```
|
||
|
||
IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
|
||
|
||
## **Deriving Link-local IPv6 from MAC Address**
|
||
|
||
Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
|
||
|
||
1. Convert MAC to IPv6 format: **`1234:5678:9abc`**
|
||
2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`**
|
||
3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`**
|
||
|
||
## **IPv6 Address Types**
|
||
|
||
- **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`**
|
||
- **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`**
|
||
- **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range.
|
||
|
||
## **Address Prefixes**
|
||
- **fe80::/10**: Link-Local addresses (similar to 169.254.x.x)
|
||
- **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
|
||
- **2000::/3**: Global Unicast
|
||
- **ff02::1**: Multicast All Nodes
|
||
- **ff02::2**: Multicast Router Nodes
|
||
|
||
## **Discovering IPv6 Addresses within a Network**
|
||
|
||
### Way 1: Using Link-local Addresses
|
||
1. Obtain the MAC address of a device within the network.
|
||
2. Derive the Link-local IPv6 address from the MAC address.
|
||
|
||
### Way 2: Using Multicast
|
||
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
|
||
|
||
```bash
|
||
service ufw stop # Stop the firewall
|
||
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
|
||
ip -6 neigh # Display the neighbor table
|
||
```
|
||
|
||
## IPv6 Man-in-the-Middle (MitM) Attacks
|
||
Several techniques exist for executing MitM attacks in IPv6 networks, such as:
|
||
|
||
- Spoofing ICMPv6 neighbor or router advertisements.
|
||
- Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
|
||
- Attacking mobile IPv6 (usually requires IPSec to be disabled).
|
||
- Setting up a rogue DHCPv6 server.
|
||
|
||
|
||
# Identifying IPv6 Addresses in the eild
|
||
|
||
## Exploring Subdomains
|
||
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
|
||
|
||
```bash
|
||
site:ipv6./
|
||
```
|
||
|
||
## Utilizing DNS Queries
|
||
To identify IPv6 addresses, certain DNS record types can be queried:
|
||
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
|
||
- **AAAA**: Directly seeks out IPv6 addresses.
|
||
- **ANY**: A broad query that returns all available DNS records.
|
||
|
||
## Probing with Ping6
|
||
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
|
||
|
||
|
||
## References
|
||
|
||
* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
|
||
* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
|
||
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
|