search

Enumeration

Credit to Roxana Kovaci (https://twitter.com/RoxanaKovaci) and her SteelCon IPv6 workshop

hashtag
Ping a host

ping6 <IPv6>(ooptional:% <Interface to go out from>) 

root@kali:~/# ping6 dead:beef:0000:0000:0250:56ff:feb9:ec70 
PING dead:beef:0000:0000:0250:56ff:feb9:ec70(dead:beef::250:56ff:feb9:ec70) 56 data bytes 
64 bytes from dead:beef::250:56ff:feb9:ec70: icmp_seq=1 ttl=63 time=32.5 ms 
64 bytes from dead:beef::250:56ff:feb9:ec70: icmp_seq=2 ttl=63 time=40.5 ms 
^C 

--- dead:beef:0000:0000:0250:56ff:feb9:ec70 ping statistics --- 
2 packets transmitted, 2 received, 0% packet loss, time 3ms 
rtt min/avg/max/mdev = 32.458/36.465/40.473/4.012 ms

hashtag
Nmap

nmap -6 –e enp0s3 –vv -F -sV –iL ipv6_hosts.txt
nmap -6 IPv6-Address-Here
nmap -6 server1.cyberciti.biz
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

hashtag
Router advertisement

hashtag
SSH

hashtag
Access web services

http://[fe80::20c:29ff:fe69:c4e5%eth0]:8888/index.html

hashtag
Curl

curl -g -6 ”http://[fe80::a00:27ff:fe33:498e%eth0]:8080/test.txt“ -o test.txt

hashtag
SNMP

Note: Consider using Enyx (https://github.com/trickster0/Enyxarrow-up-right)

hashtag
SSH over IPv6

ssh -6 user@fe80::30a8:9d3d:3842:8593%eth0

hashtag
FTP over IPv6

ftp -6 fe80::a00:27ff:fe33:498e%eth0

hashtag
Telnet over IPv6

telnet -6 fe80::30b8:9d3d:3842:8593%eth0

hashtag
MySQL over IPv6:

mysql -h fe80::30b8:9d3d:3842:8593%eth0 -u user -p pass

hashtag
RDP over IPv6 on a different port than the default one

rdesktop [fe80::a00:27ff:fe33:498e%eth0]:45001

hashtag
Password cracking over IPv6

hydra -v -f -6 fe80::20c:29ff:fe69:c4e5%eth0 -l root -P passwords.txt ssh

ncrack -f -6 -v --user admin -P passwords.txt rdp://ipv6-localhost

hashtag
Reverse connections for getting a foothold

Metasploit framework:

payload/windows/meterpreter/reverse_ipv6_tcp

or

payload/bsd/x86/shell_reverse_tcp_ipv6, etc

PreviousScanningNextTransfering files

Last updated