Add content from: Research Update Enhanced src/generic-methodologies-and-resou...

HackTricks News Bot · HackTricks News Bot · commit 7e07da021cf1 · 2026-03-12T17:01:33.000Z
diff --git a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md
@@ -35,11 +35,54 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table
 12. **Relay-Forw (12)**: Relay agents forward messages to servers.
 13. **Relay-Repl (13)**: Servers reply to relay agents, who then deliver the message to the client.
 
+
+## Quick Protocol Notes (Offensive)
+
+- DHCPv6 clients use UDP port `546` and servers/relays use UDP port `547`.
+- Clients send Solicit to **All_DHCP_Relay_Agents_and_Servers** (`ff02::1:2`); servers/relays listen there. **All_DHCP_Servers** is `ff05::1:3`.
+- Client and server identities are carried in `OPTION_CLIENTID` and `OPTION_SERVERID` using **DUIDs**. This is handy for fingerprinting the same host across address changes.
+- Address assignment is requested with `IA_NA` (non-temporary address) and prefix delegation with `IA_PD` (downstream router prefix).
+
+### Quick Recon
+
+```bash
+# Basic DHCPv6 traffic capture
+sudo tcpdump -vvv -i <IFACE> 'udp port 546 or udp port 547'
+
+# THC-IPv6: discover DHCPv6 servers and their options
+sudo atk6-dump_dhcp6 <IFACE>
+```
+
+### Rogue DHCPv6 Server (Address/DNS Hijack)
+
+```bash
+# THC-IPv6: rogue DHCPv6 server advertising address + DNS
+sudo atk6-fake_dhcps6 <IFACE> <PREFIX>/<LEN> <DNSv6>
+```
+
+This is a generic on-link rogue DHCPv6 server. On Windows/AD networks, pair this with higher-level relays (see the IPv6 page) if you want NTLM relay primitives.
+
+### Pool Exhaustion / DHCPv6 Starvation
+
+```bash
+# THC-IPv6: exhaust the server's address pool
+sudo atk6-flood_dhcpc6 <IFACE>
+```
+
+### Reconfigure Message Caveat
+
+DHCPv6 **Reconfigure** is not blindly accepted: clients only accept it if they explicitly sent `OPTION_RECONF_ACCEPT`. By default, a client is **unwilling** to accept Reconfigure messages, so unsolid Reconfigure attacks often fail unless you observe/induce that option.
+
+{{#ref}}
+pentesting-ipv6.md
+{{#endref}}
+
 ## References
 
 - [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages)
 
+- [https://www.rfc-editor.org/rfc/rfc8415](https://www.rfc-editor.org/rfc/rfc8415)
+- [https://www.kali.org/tools/thc-ipv6/](https://www.kali.org/tools/thc-ipv6/)
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
