Research Update Enhanced src/generic-methodologies-and-resou...

src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md

@@ -35,9 +35,32 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table
 12. **Relay-Forw (12)**: Relay agents forward messages to servers.
 13. **Relay-Repl (13)**: Servers reply to relay agents, who then deliver the message to the client.
 
+
+## Protocol Quick Facts (Attacker-Oriented)
+
+- DHCPv6 clients send messages to the link-scoped multicast `ff02::1:2` (All_DHCP_Relay_Agents_and_Servers). Relay agents can also use the site-scoped `ff05::1:3` (All_DHCP_Servers).
+- UDP ports: clients listen on `546`; servers and relay agents listen on `547`.
+- Identification uses **DUIDs** in the **Client Identifier** / **Server Identifier** options; stateful assignments use **IA_NA** (addresses) and **IA_PD** (prefix delegation).
+
+## Rogue DHCPv6 DNS Takeover (High-Level)
+
+If clients accept DNS configuration from DHCPv6, a rogue DHCPv6 server can answer Solicit/Request and supply attacker-controlled DNS settings, enabling traffic steering and relay opportunities. For practical workflows and poisoning examples, see [Pentesting IPv6](pentesting-ipv6.md).
+
+### Tooling: pretender
+
+`pretender` is a modern tool for DHCPv6 DNS takeover plus local name-resolution spoofing, often used together with relay tooling. Minimal usage:
+
+```bash
+pretender -i eth0 --dry
+pretender -i eth0 --no-ra
+pretender -i eth0
+```
+
 ## References
 
 - [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages)
+- [https://www.rfc-editor.org/rfc/rfc8415.html](https://www.rfc-editor.org/rfc/rfc8415.html)
+- [https://github.com/RedTeamPentesting/pretender](https://github.com/RedTeamPentesting/pretender)
 
 {{#include ../../banners/hacktricks-training.md}}