DHCPv6

Tip

Apprenez et pratiquez le hacking AWS :HackTricks Training AWS Red Team Expert (ARTE)
Apprenez et pratiquez le hacking GCP : HackTricks Training GCP Red Team Expert (GRTE) Apprenez et pratiquez le hacking Azure : HackTricks Training Azure Red Team Expert (AzRTE)

Soutenir HackTricks

DHCPv6 vs. DHCPv4 Message Types Comparison

Une vue comparative des types de messages DHCPv6 et DHCPv4 est présentée dans le tableau ci-dessous :

DHCPv6 Message TypeDHCPv4 Message Type
Solicit (1)DHCPDISCOVER
Advertise (2)DHCPOFFER
Request (3), Renew (5), Rebind (6)DHCPREQUEST
Reply (7)DHCPACK / DHCPNAK
Release (8)DHCPRELEASE
Information-Request (11)DHCPINFORM
Decline (9)DHCPDECLINE
Confirm (4)none
Reconfigure (10)DHCPFORCERENEW
Relay-Forw (12), Relay-Reply (13)none

Detailed Explanation of DHCPv6 Message Types:

  1. Solicit (1): Initiated by a DHCPv6 client to find available servers.
  2. Advertise (2): Sent by servers in response to a Solicit, indicating availability for DHCP service.
  3. Request (3): Clients use this to request IP addresses or prefixes from a specific server.
  4. Confirm (4): Used by a client to verify if the assigned addresses are still valid on the network, typically after a network change.
  5. Renew (5): Clients send this to the original server to extend address lifetimes or update configurations.
  6. Rebind (6): Sent to any server to extend address lifetimes or update configurations, especially when no response is received to a Renew.
  7. Reply (7): Servers use this to provide addresses, configuration parameters, or to acknowledge messages like Release or Decline.
  8. Release (8): Clients inform the server to stop using one or more assigned addresses.
  9. Decline (9): Sent by clients to report that assigned addresses are in conflict on the network.
  10. Reconfigure (10): Servers prompt clients to initiate transactions for new or updated configurations.
  11. Information-Request (11): Clients request configuration parameters without IP address assignment.
  12. Relay-Forw (12): Relay agents forward messages to servers.
  13. Relay-Repl (13): Servers reply to relay agents, who then deliver the message to the client.

Quick Protocol Notes (Offensive)

  • DHCPv6 clients use UDP port 546 and servers/relays use UDP port 547.
  • Clients send Solicit to All_DHCP_Relay_Agents_and_Servers (ff02::1:2); servers/relays listen there. All_DHCP_Servers is ff05::1:3.
  • Client and server identities are carried in OPTION_CLIENTID and OPTION_SERVERID using DUIDs. This is handy for fingerprinting the same host across address changes.
  • Address assignment is requested with IA_NA (non-temporary address) and prefix delegation with IA_PD (downstream router prefix).

Recon rapide

# Basic DHCPv6 traffic capture
sudo tcpdump -vvv -i <IFACE> 'udp port 546 or udp port 547'

# THC-IPv6: discover DHCPv6 servers and their options
sudo atk6-dump_dhcp6 <IFACE>

Serveur DHCPv6 malveillant (détournement d’adresse/DNS)

# THC-IPv6: rogue DHCPv6 server advertising address + DNS
sudo atk6-fake_dhcps6 <IFACE> <PREFIX>/<LEN> <DNSv6>

Ceci est un serveur DHCPv6 rogue on-link générique. Sur les réseaux Windows/AD, associez-le à des relays de niveau supérieur (voir la page IPv6) si vous souhaitez des primitives NTLM relay.

Épuisement du pool / DHCPv6 Starvation

# THC-IPv6: exhaust the server's address pool
sudo atk6-flood_dhcpc6 <IFACE>

Mise en garde sur le message Reconfigure

DHCPv6 Reconfigure n’est pas accepté aveuglément : les clients ne l’acceptent que s’ils ont explicitement envoyé OPTION_RECONF_ACCEPT. Par défaut, un client est réticent à accepter les messages Reconfigure, donc les attaques Reconfigure peu fiables échouent souvent à moins d’observer/induire cette option.

Pentesting IPv6

Références

Tip

Apprenez et pratiquez le hacking AWS :HackTricks Training AWS Red Team Expert (ARTE)
Apprenez et pratiquez le hacking GCP : HackTricks Training GCP Red Team Expert (GRTE) Apprenez et pratiquez le hacking Azure : HackTricks Training Azure Red Team Expert (AzRTE)

Soutenir HackTricks