Hacking IPv6 from Windows

The last article drew some constructive criticism that some penetration testers prefer (or are stuck with) using Windows, and that we had intentionally left the Windows Operating System out. Hopefully, this post will alleviate those concerns…

So here we go, IPv6 in Windows 10 should be supported straight out of the box. But if you want to double check, go to:

• Control Panel
• Network Connections
• Change adapter options
• Locate your interface, right-click and properties
• Look for the IPv6 module, ensure there is a tick in the box

IPv6 Addressing

More on IPv6 addressing, and various formats can be found here: https://en.wikipedia.org/wiki/IPv6_address

Get your IPv6 address

ipconfig

Below is the basic usage of the ipconfig command to determine your IPv6 address:

$ ipconfig

Example:

$ ipconfig
Ethernet adapter vEthernet (External):
Connection-specific DNS Suffix  . : test.local
   Link-local IPv6 Address . . . . . : fe80::75f8:76d4:930e:19d5%26
   IPv4 Address. . . . . . . . . . . : 10.2.66.190
   Subnet Mask . . . . . . . . . . . : 255.255.224.0
   Default Gateway . . . . . . . . . : 10.2.95.254

netsh

To get the most out of Windows and IPV6, you are going to have to learn how to use the netshell command or netsh.

Show your interfaces:

$ netsh int ipv6 show int
Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
 10           5        1500  disconnected  Ethernet
  1          75  4294967295  connected     Loopback Pseudo-Interface 
 26          25        1500  connected     vEthernet (External)

Warning: You may have many interfaces if you have Hypervisors and Docker installed. The list above has been trimmed to make it easier to read. But the task ahead of you to identify the correct interface and IP address may be harder?

Show your IPv6 addresses:

netsh int ipv6 show address

Example of a static configured host:

netsh int ipv6 show address
Interface 26: vEthernet (External)
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Preferred     infinite   infinite fe80::75f8:76d4:930e:19d5%26

Using route

Display IPv6 route

Display your Windows IPv6 routing table:

$ route print -6

Example. Here you see different IPv6 routes for different interfaces on Windows.

$ route print -6
====================================================================
Interface List
 10...f0 de f1 1a 14 f9 ......Intel(R) 82577LM Gigabit Network    
 26...00 23 14 da 5e 90 ......Hyper-V Virtual Ethernet Adapter
  1...........................Software Loopback Interface 1
====================================================================
IPv6 Route Table
====================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 26    281 fe80::/64                On-link
 26    281 fe80::75f8:76d4:930e:19d5/128
                                    On-link
 26    281 ff00::/8                 On-link
====================================================================
Persistent Routes:
  None

Alternatively the same command with netsh

$ netsh interface ipv6 show route
Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       System    256  fe80::/64                  10  Ethernet
No       System    256  fe80::/64                  26  vEthernet (External)

IPv6 Tools

IPv6 Ping

ping -6 [ipv6address]
ping -6 [link-local-ipv6address]

Example:

$ ping -6 ::1 
Pinging ::1 with 32 bytes of data:
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Ping statistics for ::1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

IPv6 Traceroute

tracert -6 [ipv6address]
tracert -6 [link-local-ipv6address]

Example:

tracert -6 ::1
Tracing route to Andys-Laptop [::1]
over a maximum of 30 hops:
1    <1 ms    <1 ms    <1 ms  test-laptop [::1]
Trace complete.

Neighbour Discovery

With the following command you can display the learnt or configured IPv6 neighbours:

$ netsh int ipv6 show neigh

The following example shows neighbors on interface 26, which is a reachable router

$ netsh int ipv6 show neigh 26
Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
fe80::f841:cd78:7c8a:e20d                     00-00-00-00-00-00  Unreachable
ff02::1                                       33-33-00-00-00-01  Permanent
ff02::2                                       33-33-00-00-00-02  Permanent
ff02::16                                      33-33-00-00-00-16  Permanent
ff02::fb                                      33-33-00-00-00-fb  Permanent
ff02::1:2                                     33-33-00-01-00-02  Permanent
ff02::1:3                                     33-33-00-01-00-03  Permanent
ff02::1:ff01:228                              33-33-ff-01-02-28  Permanent
ff02::1:ff0e:19d5                             33-33-ff-0e-19-d5  Permanent
ff02::1:ff14:322c                             33-33-ff-14-32-2c  Permanent
ff02::1:ff7e:ff50                             33-33-ff-7e-ff-50  Permanent
ff02::1:ff8a:e20d                             33-33-ff-8a-e2-0d  Permanent
ff02::1:ffb1:992d                             33-33-ff-b1-99-2d  Permanent
ff05::c                                       33-33-00-00-00-0c  Permanent

Adding Manual Routes/Neighbors

Windows Auto-Magic

Windows is an odd beast? when it comes to routing as this appears to be handled automatically. As soon as you discover a link-local host, simply try to ping it, it takes a few packets but windows should automatically add the IPv6 address to the list of known neighbours

>ping -6  fe80::20c:29ff:fee2:fdb1
Pinging fe80::20c:29ff:fee2:fdb1 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Ping statistics for fe80::20c:29ff:fee2:fdb1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>ping -6  fe80::20c:29ff:fee2:fdb1
Pinging fe80::20c:29ff:fee2:fdb1 with 32 bytes of data:
Destination host unreachable.
Reply from fe80::20c:29ff:fee2:fdb1: time=37ms
Reply from fe80::20c:29ff:fee2:fdb1: time=3ms
Reply from fe80::20c:29ff:fee2:fdb1: time=4ms
Ping statistics for fe80::20c:29ff:fee2:fdb1:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 37ms, Average = 14ms

Windows Manually Adding Routes

>netsh int ipv6 del route [prefix] [interface_string] [next_hop]

Example

>netsh int ipv6 add route fe80::/16 “vEthernet (External)” fe80::20c:29ff:fe25:2403
Ok.

Windows Manually Deleting Routes

>netsh int ipv6 del route [prefix] [interface_string] [next_hop] 

Example:

>netsh int ipv6 del route fe80::/16 “vEthernet (External)” fe80::20c:29ff:fe25:2403
Ok.

Other IPv6 Tools

Since Windows is more GUI driven on the User experience level, we do not have the luxury of many and different default command line tools . For viewing web-pages we prefer to use either Chrome/Firefox/Edge.

Just remember to encapsulate the address in square brackets ‘[ ]’

For example Google: https://[2a00:1450:4009:808::200e]/

Other tools

Using 3rd party tools (or Chocolately package manager) you can install familiar tools for accessing the usual services over IPv6.

Nmap and putty

Nmap:

Putty:

Conclusion

Hopefully, this was enough of an introduction for the more Windows orientated penetration testers to progress with and have a play? Not only to prepare for the future, but also for self development.

---

Share on: