HackTricks-wiki · carlospolop · Mar 12, 2026
diff --git a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md
@@ -35,9 +35,33 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table
 12. **Relay-Forw (12)**: Relay agents forward messages to servers.
 13. **Relay-Repl (13)**: Servers reply to relay agents, who then deliver the message to the client.
 
+
+## DHCPv6 Attack Surface (Pentest Notes)
+
+- DHCPv6 clients listen on UDP 546 and servers/relays on UDP 547, so these ports are high-signal for discovery and sniffing.
+- DHCPv6 can deliver DNS configuration via options **23** (DNS Recursive Name Server) and **24** (Domain Search List). RFC 3646 explicitly warns that a rogue DHCPv6 server can abuse these options to redirect DNS queries or manipulate search behavior.
+
+### Rogue DHCPv6 DNS Takeover
+
+A common L2 attack is to race the legitimate server and reply to Solicit/Information-Request messages with attacker-controlled DNS settings. This allows name-resolution hijacking and can be chained with relay tooling.
+
+```bash
+# Observe DHCPv6 traffic
+sudo tcpdump -n -i eth0 'udp port 546 or udp port 547'
+```
+
+```bash
+# Rogue DHCPv6 DNS takeover (mitm6)
+sudo mitm6 -i eth0 -d corp.local
+```
+
+`mitm6` responds to DHCPv6 requests and advertises the attacker as DNS, enabling controlled DNS responses and common relay chains (e.g., WPAD/HTTP/SMB when paired with relaying tools).
+
 ## References
 
 - [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages)
+- [https://www.rfc-editor.org/rfc/rfc3646.html](https://www.rfc-editor.org/rfc/rfc3646.html)
+- [https://github.com/dirkjanm/mitm6](https://github.com/dirkjanm/mitm6)
 
 {{#include ../../banners/hacktricks-training.md}}