From fff1ed26b453d95981fd21cbd0f35e8bfd93431a Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 12 Mar 2026 16:37:59 +0000 Subject: [PATCH] Add content from: Research Update Enhanced src/generic-methodologies-and-resou... --- .../pentesting-network/dhcpv6.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md index c5b4964eb07..c1b18c594d8 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md @@ -35,9 +35,32 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table 12. **Relay-Forw (12)**: Relay agents forward messages to servers. 13. **Relay-Repl (13)**: Servers reply to relay agents, who then deliver the message to the client. + +## Protocol Quick Facts (Attacker-Oriented) + +- DHCPv6 clients send messages to the link-scoped multicast `ff02::1:2` (All_DHCP_Relay_Agents_and_Servers). Relay agents can also use the site-scoped `ff05::1:3` (All_DHCP_Servers). +- UDP ports: clients listen on `546`; servers and relay agents listen on `547`. +- Identification uses **DUIDs** in the **Client Identifier** / **Server Identifier** options; stateful assignments use **IA_NA** (addresses) and **IA_PD** (prefix delegation). + +## Rogue DHCPv6 DNS Takeover (High-Level) + +If clients accept DNS configuration from DHCPv6, a rogue DHCPv6 server can answer Solicit/Request and supply attacker-controlled DNS settings, enabling traffic steering and relay opportunities. For practical workflows and poisoning examples, see [Pentesting IPv6](pentesting-ipv6.md). + +### Tooling: pretender + +`pretender` is a modern tool for DHCPv6 DNS takeover plus local name-resolution spoofing, often used together with relay tooling. Minimal usage: + +```bash +pretender -i eth0 --dry +pretender -i eth0 --no-ra +pretender -i eth0 +``` + ## References - [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages) +- [https://www.rfc-editor.org/rfc/rfc8415.html](https://www.rfc-editor.org/rfc/rfc8415.html) +- [https://github.com/RedTeamPentesting/pretender](https://github.com/RedTeamPentesting/pretender) {{#include ../../banners/hacktricks-training.md}}