IPv6

fe80::c2d9:184f:9f41:3c8d

-> fe80:0000:0000:0000:c2d9:184f:9f41:3c8d

Types of IPv6 Addresses:

fe80::/10 - Unique Link-Local (169.254.x.x)

fc00::/7 - Unique Local-Unicast (10.x.x.x, 172.16.x.x, 192.168.x.x)

2000::/3 - Global Unicast

ff02::1 - Multicast All Nodes

ff02::2 - Multicast ROUTER nodes

Calculate IPv6 address from MAC address (linux)

  • Linux OS's calculate the IPv6 link local address from the device's MAC address

    • Windows does it a bit differently

E.g.

MAC - 00:50:56:aa:8a:25 -> 0050:56aa:8a25

IPv6 Link Local - fe80::250:56ff:feaa:8a25

  • The 7th bit gets inverted

0000 0010

MAC - 250:56aa:8a25

  • Also, once you get halfway through a MAC, add ff:fe

  • Target systems Link local address - fe80::0250:56ff:feaa:8a25

You can use the arp table to get a system's MAC address (ping the IPv4 address of the target first, so that its entry gets added to your arp table)

arp -n

Ping IPv6

  • Use the ping6 command

  • Must specify the interface at the end (if pinging a link-local address)

    • E.g. %ens34

ping6 fe80::0250:56ff:feaa:4146%ens34

IPv6 Neighbors

ip -6 neigh

  • The IPv6 equivalent of an arp table

  • To be able to see all IPv6 addresses on the network from this command, first ping the IPv6 multicast all nodes address

ping6 -I ens34 ff02::1

ip -6 neigh

  • Note: this will only show us all of the linux systems. The windows systems don't respond to multicast all nodes pings

ip6tables -L

  • Shows the rules

service ufw stop

  • Stops the firewall

Ping6 -I ens34 ff02::1

  • Will now send the multicast to all nodes (not just us this time)

  • You can clear the network cache in linux with…

service networking restart

  • To get the windows systems to respond, we must send them an invalid ICMP packet

    • They respond that the packet is invalid

    • This can be used to identify that they exist

  • Use THC IPv6 attack toolkit to generate these invalid IPv6 packets

./alive6 ens34 -e ff02::1

  • The ones that respond with ICMP echo-reply are linux

  • The ones that respond with ICMP parameter problem are windows

Find reachable hosts

ping6 -I <network interface> ff::02

ff::02 is the multicast address

then run:

ip -6 neigh

arp -an

tells you which ipv6 address corresponds to which ipv4 address if it's in the arp table

browsing to a page with ipv6

  • in your browser enclose the ipv6 address in brackets to browse to the page

e.g.

http://[dead:beef::250:56ff:feb2:0190]/

PreviousIPtablesNextOSINT

Last updated