diff --git a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md index 58f60faf0cf..878c600e5bd 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md @@ -241,6 +241,35 @@ sudo ip6tables -A FORWARD -i eth0 -j ACCEPT sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` +#### Router Advertisement Flags (M/O) & Default Router Preference (Prf) + +| Flag | Meaning | Effect on Client Behaviour | +|------|---------|----------------------------| +| **M (Managed Address Configuration)** | When set to `1` the host MUST use **DHCPv6** to obtain its IPv6 address. | Whole addressing comes from DHCPv6 – perfect for *mitm6* style poisoning. | +| **O (Other Configuration)** | When set to `1` the host should use **DHCPv6** only to obtain *other* information (DNS, NTP, …). | Address still via SLAAC, but DNS can be hijacked with DHCPv6. | +| **M=0 / O=0** | Pure SLAAC network. | Only RA / RDNSS tricks are possible – DHCPv6 won’t be sent by clients. | +| **M=1 / O=1** | Mixed environment. | Both DHCPv6 and SLAAC are used; the surface for spoofing is the largest. | + +During a pentest you can simply inspect the legitimate RA once and decide which vector is feasible: + +```bash +sudo tcpdump -vvv -i eth0 'icmp6 && ip6[40] == 134' # capture Router Advertisements +``` + +Look for the `flags [M,O]` field in the dump – no guessing required. + +The **Prf** (Router Preference) field inside the RA header controls how attractive your rogue router looks when *multiple* gateways are present: + +| Prf value | Binary | Meaning | +|-----------|--------|---------| +| **High** | `10` | Clients prefer this router over any *Medium*/*Low* one | +| Medium (default) | `01` | Used by almost every legitimate device | +| Low | `00` | Chosen only when no better router exists | + +When generating the packet with Scapy you can set it through the `prf` parameter as shown above (`prf=0x1` → High). Combining **High Prf**, a **short interval**, and a **non-zero lifetime** makes your rogue gateway remarkably stable. + +--- + ### RDNSS (DNS) Spoofing via RA [RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA. Modern OSes (Win 10 ≥1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it: @@ -296,6 +325,7 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning - [RFC 8106 – IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106) - [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html) - [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904) +- [Practical Guide to IPv6 Attacks in a Local Network](https://habr.com/ru/articles/930526/) {{#include ../../banners/hacktricks-training.md}}