Merge pull request #1237 from HackTricks-wiki/update_Practical_Guide_to_IPv6_Attacks_in_a_Local_Network_20250804_124606

carlospolop · web-flow · commit 1610ada7a583 · 2025-08-20T12:02:07.000+02:00
Practical Guide to IPv6 Attacks in a Local Network
diff --git a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
@@ -241,6 +241,35 @@ sudo ip6tables -A FORWARD -i eth0 -j ACCEPT
 sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 ```
 
+#### Router Advertisement Flags (M/O) & Default Router Preference (Prf)
+
+| Flag | Meaning | Effect on Client Behaviour |
+|------|---------|----------------------------|
+| **M (Managed Address Configuration)** | When set to `1` the host MUST use **DHCPv6** to obtain its IPv6 address. | Whole addressing comes from DHCPv6 – perfect for *mitm6* style poisoning. |
+| **O (Other Configuration)** | When set to `1` the host should use **DHCPv6** only to obtain *other* information (DNS, NTP, …). | Address still via SLAAC, but DNS can be hijacked with DHCPv6. |
+| **M=0 / O=0** | Pure SLAAC network. | Only RA / RDNSS tricks are possible – DHCPv6 won’t be sent by clients. |
+| **M=1 / O=1** | Mixed environment. | Both DHCPv6 and SLAAC are used; the surface for spoofing is the largest. |
+
+During a pentest you can simply inspect the legitimate RA once and decide which vector is feasible:
+
+```bash
+sudo tcpdump -vvv -i eth0 'icmp6 && ip6[40] == 134'   # capture Router Advertisements
+```
+
+Look for the `flags [M,O]` field in the dump – no guessing required.
+
+The **Prf** (Router Preference) field inside the RA header controls how attractive your rogue router looks when *multiple* gateways are present:
+
+| Prf value | Binary | Meaning |
+|-----------|--------|---------|
+| **High**  | `10`   | Clients prefer this router over any *Medium*/*Low* one |
+| Medium (default) | `01` | Used by almost every legitimate device |
+| Low     | `00` | Chosen only when no better router exists |
+
+When generating the packet with Scapy you can set it through the `prf` parameter as shown above (`prf=0x1` → High).  Combining **High Prf**, a **short interval**, and a **non-zero lifetime** makes your rogue gateway remarkably stable.
+
+---
+
 ### RDNSS (DNS) Spoofing via RA
 
 [RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA.  Modern OSes (Win 10 ≥1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it:
@@ -296,6 +325,7 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning
 - [RFC 8106 – IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106)
 - [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
 - [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
+- [Practical Guide to IPv6 Attacks in a Local Network](https://habr.com/ru/articles/930526/)
 
 {{#include ../../banners/hacktricks-training.md}}
 
