Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

IPv6 Basic theory

Networks

IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:

Network Prefix: The initial 48 bits, determining the network segment.
Subnet ID: Following 16 bits, used for defining specific subnets within the network.
Interface Identifier: The concluding 64 bits, uniquely identifying a device within the subnet.

While IPv6 omits the ARP protocol found in IPv4, it introduces ICMPv6 with two primary messages:

Neighbor Solicitation (NS): Multicast messages for address resolution.
Neighbor Advertisement (NA): Unicast responses to NS or spontaneous announcements.

IPv6 also incorporates special address types:

Loopback Address (::1): Equivalent to IPv4's 127.0.0.1, for internal communication within the host.
Link-Local Addresses (FE80::/10): For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.

Practical Usage of IPv6 in Network Commands

To interact with IPv6 networks, you can use various commands:

Ping Link-Local Addresses: Check the presence of local devices using ping6.
Neighbor Discovery: Use ip neigh to view devices discovered at the link layer.
alive6: An alternative tool for discovering devices on the same network.

Below are some command examples:

bash

ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
ip neigh | grep ^fe80

# Alternatively, use alive6 for neighbor discovery
alive6 eth0

IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.

Deriving Link-local IPv6 from MAC Address

Given a MAC address 12:34:56:78:9a:bc, you can construct the Link-local IPv6 address as follows:

Convert MAC to IPv6 format: 1234:5678:9abc
Prepend fe80:: and insert fffe in the middle: fe80::1234:56ff:fe78:9abc
Invert the seventh bit from the left, changing 1234 to 1034: fe80::1034:56ff:fe78:9abc

IPv6 Address Types

Unique Local Address (ULA): For local communications, not meant for public internet routing. Prefix: FEC00::/7
Multicast Address: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: FF00::/8
Anycast Address: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the 2000::/3 global unicast range.

Address Prefixes

fe80::/10: Link-Local addresses (similar to 169.254.x.x)
fc00::/7: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
2000::/3: Global Unicast
ff02::1: Multicast All Nodes
ff02::2: Multicast Router Nodes

Discovering IPv6 Addresses within a Network

Way 1: Using Link-local Addresses

Obtain the MAC address of a device within the network.
Derive the Link-local IPv6 address from the MAC address.

Way 2: Using Multicast

Send a ping to the multicast address ff02::1 to discover IPv6 addresses on the local network.

bash

service ufw stop # Stop the firewall
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
ip -6 neigh # Display the neighbor table

IPv6 Man-in-the-Middle (MitM) Attacks

Several techniques exist for executing MitM attacks in IPv6 networks, such as:

Spoofing ICMPv6 neighbor or router advertisements.
Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
Attacking mobile IPv6 (usually requires IPSec to be disabled).
Setting up a rogue DHCPv6 server.

Identifying IPv6 Addresses in the eild

Exploring Subdomains

A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like ipv6.* can be effective. Specifically, the following search command can be used in Google:

bash

site:ipv6./

Utilizing DNS Queries

To identify IPv6 addresses, certain DNS record types can be queried:

AXFR: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
AAAA: Directly seeks out IPv6 addresses.
ANY: A broad query that returns all available DNS records.

Probing with Ping6

After pinpointing IPv6 addresses associated with an organization, the ping6 utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution

IPv6 Basic theory

Networks

Practical Usage of IPv6 in Network Commands

Deriving Link-local IPv6 from MAC Address

IPv6 Address Types

Address Prefixes

Discovering IPv6 Addresses within a Network

Way 1: Using Link-local Addresses

Way 2: Using Multicast

IPv6 Man-in-the-Middle (MitM) Attacks

Identifying IPv6 Addresses in the eild

Exploring Subdomains

Utilizing DNS Queries

Probing with Ping6

References