From 0 to ::1 - IPv6 Primer No more IPv4 addresses IPv4 - 32-bit addresses IPv6 - 128-bit addresses IPv4 - 4.3 billion IPv6 - 3.410^38 7.910^28 more addresses Other motivations Stateless Multicast without broadcast Simpler header ... Functional differences - Addressing - Neighbor discovery - Address assignment Addressing 127.0.0.1 01111111.00000000.00000000.00000001 01111111.00000000.00000000.00000001 >>> 0b01111111000000000000000000000001 2130706433 ::1 2001:0db8:3c4d:0015::1a2f:1a2b ???? 2001:0db8:3c4d:0015::1a2f:1a2b 2001:db8:3c4d:15::1a2f:1a2b 2001:0db8:3c4d:0015:0000:d234::3eee:0000 2001:db8:3c4d:15:0:d234:3eee:: Loopback: ::1 == 127.0.0.1 0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 0000:0000:0000:0000:0000:0000:0000:0001 0:0:0:0:0:0:0:1 ::1 2001:db8:abcd:0012:0000:0000:0000:0000 2001:db8:abcd - Network address 0012 - Subnet address 0000:0000:0000:0000 - Device Address No ARP Neighbor Discovery Protocol (NDP) - ICMPv6 to query the router - ICMPv6 now a requirement - Router solicitation/advertisement - Neighbor solicitation/advertisement - Redirection Uses - Find link-local - Prevent IP collisions Address Allocation - SLAAC - DHCPv6 DHCPv6 - Like old DHCP - Query router for IP - Stateful - Not recommended SLAAC - Uses NDP to prevent collisions - Random address generation - Stateless - "Expire" (unless RA) - Missing pieces - ie DNS assignment Multicast - ff0x:: - ff01::1 - Interface local nodes - ff02::1 - Link local nodes ... @ipv6drift.png iptables != ip6tables No NAT > NO NAT < <<<<<<<<<<<<<<<<<<< >>> N O N A T <<< >>>>>>>>>>>>>>>>>>> Testing Normal methodology out the window Minimum subnet size /64 - 18,446,744,073,709,551,616 Not realistic to scan Work with clients/testers Use DNS and CT logs Test link local Use aggregated data (sonar) Honey pots DNS is your new friend - AAAA (Quad A) $ host -t AAAA google.com google.com has IPv6 address 2607:f8b0:4006:81b::200e Accessing an IPv6 address http://10.13.37.8:8080/test.html http://2607:f8b0:4006:81b::200e???/test.html http://[2607:f8b0:4006:81b::200e]:8080/test.html Can be forwarded through SSH on v6 enabled server $ ssh -D 6666 v6.mil.airforce Link-local is a better story nmap IPv6 experimental NDP "supported": -PR Workaround: $ sudo nmap -6 -A -O 2001:500:2f::f nmap scripts - targets-ipv6-multicast-echo.nse - script-args 'newtargets,interface=eth0' - ipv6-multicast-mld-list - targets-ipv6-multicast-invalid-dst - targets-ipv6-multicast-slaac $ ping6 -I eth0 ff02::1 DHCPv6 hijacking mitm6 b/ettercap thc-ipv6 msf - scanners - auxiliary/scanner/discovery/ipv6_multicast_ping - auxiliary/scanner/discovery/ipv6_neighbor - auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement msf - payloads - ./singles/ruby/shell_bind_tcp_ipv6.rb - ./singles/linux/x86/shell_reverse_tcp_ipv6.rb - ./singles/linux/x86/shell_bind_ipv6_tcp.rb - ./singles/cmd/unix/bind_ruby_ipv6.rb - ./singles/cmd/unix/bind_netcat_gaping_ipv6.rb - ./singles/cmd/unix/bind_perl_ipv6.rb - ./singles/cmd/windows/bind_perl_ipv6.rb - ./singles/windows/meterpreter_reverse_ipv6_tcp.rb - ./singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb - ./singles/bsd/x64/shell_bind_ipv6_tcp.rb - ./singles/bsd/x64/shell_reverse_ipv6_tcp.rb - ./singles/bsd/x86/shell_bind_tcp_ipv6.rb - ./singles/bsd/x86/shell_reverse_tcp_ipv6.rb - ./singles/php/bind_php_ipv6.rb - ./singles/php/bind_perl_ipv6.rb - ./stagers/linux/x86/reverse_ipv6_tcp.rb - ./stagers/linux/x86/bind_ipv6_tcp_uuid.rb - ./stagers/linux/x86/bind_ipv6_tcp.rb - ./stagers/windows/reverse_ipv6_tcp.rb - ./stagers/windows/x64/bind_ipv6_tcp_uuid.rb - ./stagers/windows/x64/bind_ipv6_tcp.rb - ./stagers/windows/bind_ipv6_tcp_uuid.rb - ./stagers/windows/bind_ipv6_tcp.rb - ./stagers/bsd/x86/reverse_ipv6_tcp.rb - ./stagers/bsd/x86/bind_ipv6_tcp.rb - ./stagers/php/bind_tcp_ipv6.rb - ./stagers/php/bind_tcp_ipv6_uuid.rb https://hosakacorp.net/t/ipv6.html