Skip to content

Practical Guide to IPv6 Attacks in a Local Network #1237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Practical Guide to IPv6 Attacks in a Local Network #1237

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,35 @@ sudo ip6tables -A FORWARD -i eth0 -j ACCEPT
sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```

#### Router Advertisement Flags (M/O) & Default Router Preference (Prf)

| Flag | Meaning | Effect on Client Behaviour |
|------|---------|----------------------------|
| **M (Managed Address Configuration)** | When set to `1` the host MUST use **DHCPv6** to obtain its IPv6 address. | Whole addressing comes from DHCPv6 – perfect for *mitm6* style poisoning. |
| **O (Other Configuration)** | When set to `1` the host should use **DHCPv6** only to obtain *other* information (DNS, NTP, …). | Address still via SLAAC, but DNS can be hijacked with DHCPv6. |
| **M=0 / O=0** | Pure SLAAC network. | Only RA / RDNSS tricks are possible – DHCPv6 won’t be sent by clients. |
| **M=1 / O=1** | Mixed environment. | Both DHCPv6 and SLAAC are used; the surface for spoofing is the largest. |

During a pentest you can simply inspect the legitimate RA once and decide which vector is feasible:

```bash
sudo tcpdump -vvv -i eth0 'icmp6 && ip6[40] == 134' # capture Router Advertisements
```

Look for the `flags [M,O]` field in the dump – no guessing required.

The **Prf** (Router Preference) field inside the RA header controls how attractive your rogue router looks when *multiple* gateways are present:

| Prf value | Binary | Meaning |
|-----------|--------|---------|
| **High** | `10` | Clients prefer this router over any *Medium*/*Low* one |
| Medium (default) | `01` | Used by almost every legitimate device |
| Low | `00` | Chosen only when no better router exists |

When generating the packet with Scapy you can set it through the `prf` parameter as shown above (`prf=0x1` β†’ High). Combining **High Prf**, a **short interval**, and a **non-zero lifetime** makes your rogue gateway remarkably stable.

---

### RDNSS (DNS) Spoofing via RA

[RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA. Modern OSes (Win 10 β‰₯1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it:
Expand Down Expand Up @@ -296,6 +325,7 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning
- [RFC 8106 – IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106)
- [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
- [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
- [Practical Guide to IPv6 Attacks in a Local Network](https://habr.com/ru/articles/930526/)

{{#include ../../banners/hacktricks-training.md}}

Expand Down