From 0 to ::1 - IPv6 Primer
IPv4
- 4.3 billion
IPv6
- 3.410^38
Stateless
Multicast without broadcast
Simpler header
...
Functional differences
- Addressing
- Neighbor discovery
- Address assignment
Addressing
127.0.0.1
01111111.00000000.00000000.00000001
01111111.00000000.00000000.00000001
>>> 0b01111111000000000000000000000001
2130706433
::1
2001:0db8:3c4d:0015::1a2f:1a2b
2001:0db8:3c4d:0015::1a2f:1a2b
2001:db8:3c4d:15::1a2f:1a2b
2001:0db8:3c4d:0015:0000:d234::3eee:0000
2001:db8:3c4d:15:0:d234:3eee::
Loopback: ::1 == 127.0.0.1
0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
0000:0000:0000:0000:0000:0000:0000:0001
0:0:0:0:0:0:0:1
::1
2001:db8:abcd:0012:0000:0000:0000:0000
2001:db8:abcd - Network address
0012 - Subnet address
0000:0000:0000:0000 - Device Address
Neighbor Discovery Protocol (NDP)
- ICMPv6 to query the router
- ICMPv6 now a requirement
- Router solicitation/advertisement
- Neighbor solicitation/advertisement
- Redirection
Uses
- Find link-local
- Prevent IP collisions
Address Allocation
- SLAAC
- DHCPv6
DHCPv6
- Like old DHCP
- Query router for IP
- Stateful
- Not recommended
SLAAC
- Uses NDP to prevent collisions
- Random address generation
- Stateless
- "Expire" (unless RA)
- Missing pieces - ie DNS assignment
Multicast
- ff0x::
- ff01::1 - Interface local nodes
- ff02::1 - Link local nodes
...
<<<<<<<<<<<<<<<<<<<
>>> N O N A T <<<
>>>>>>>>>>>>>>>>>>>
Normal methodology out the window
Minimum subnet size /64
- 18,446,744,073,709,551,616
Work with clients/testers
Use DNS and CT logs
Test link local
Use aggregated data (sonar)
DNS is your new friend
- AAAA (Quad A)
$ host -t AAAA google.com
google.com has IPv6 address 2607:f8b0:4006:81b::200e
Accessing an IPv6 address
http://10.13.37.8:8080/test.html
http://2607:f8b0:4006:81b::200e???/test.html
http://[2607:f8b0:4006:81b::200e]:8080/test.html
Can be forwarded through SSH on v6 enabled server
$ ssh -D 6666 v6.mil.airforce
Link-local is a better story
Workaround:
$ sudo nmap -6 -A -O 2001:500:2f::f
nmap scripts
- targets-ipv6-multicast-echo.nse
- script-args 'newtargets,interface=eth0'
- ipv6-multicast-mld-list
- targets-ipv6-multicast-invalid-dst
- targets-ipv6-multicast-slaac
msf - scanners
- auxiliary/scanner/discovery/ipv6_multicast_ping
- auxiliary/scanner/discovery/ipv6_neighbor
- auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
msf - payloads
- ./singles/ruby/shell_bind_tcp_ipv6.rb
- ./singles/linux/x86/shell_reverse_tcp_ipv6.rb
- ./singles/linux/x86/shell_bind_ipv6_tcp.rb
- ./singles/cmd/unix/bind_ruby_ipv6.rb
- ./singles/cmd/unix/bind_netcat_gaping_ipv6.rb
- ./singles/cmd/unix/bind_perl_ipv6.rb
- ./singles/cmd/windows/bind_perl_ipv6.rb
- ./singles/windows/meterpreter_reverse_ipv6_tcp.rb
- ./singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
- ./singles/bsd/x64/shell_bind_ipv6_tcp.rb
- ./singles/bsd/x64/shell_reverse_ipv6_tcp.rb
- ./singles/bsd/x86/shell_bind_tcp_ipv6.rb
- ./singles/bsd/x86/shell_reverse_tcp_ipv6.rb
- ./singles/php/bind_php_ipv6.rb
- ./singles/php/bind_perl_ipv6.rb
- ./stagers/linux/x86/reverse_ipv6_tcp.rb
- ./stagers/linux/x86/bind_ipv6_tcp_uuid.rb
- ./stagers/linux/x86/bind_ipv6_tcp.rb
- ./stagers/windows/reverse_ipv6_tcp.rb
- ./stagers/windows/x64/bind_ipv6_tcp_uuid.rb
- ./stagers/windows/x64/bind_ipv6_tcp.rb
- ./stagers/windows/bind_ipv6_tcp_uuid.rb
- ./stagers/windows/bind_ipv6_tcp.rb
- ./stagers/bsd/x86/reverse_ipv6_tcp.rb
- ./stagers/bsd/x86/bind_ipv6_tcp.rb
- ./stagers/php/bind_tcp_ipv6.rb
- ./stagers/php/bind_tcp_ipv6_uuid.rb
https://hosakacorp.net/t/ipv6.html