Skip to content

Latest commit

 

History

History
1958 lines (1464 loc) · 48.9 KB

File metadata and controls

1958 lines (1464 loc) · 48.9 KB

ProRT-IP IPv6 Usage Guide

Version: 1.0 Last Updated: 2025-10-29 Sprint: 5.1 Phase 4.3 Status: Production-Ready - 100% IPv6 Scanner Coverage


Table of Contents

  1. Overview
  2. IPv6 Addressing Fundamentals
  3. CLI Flags Reference
  4. Scanner-Specific IPv6 Behavior
  5. Protocol Details
  6. Performance Characteristics
  7. Common Use Cases
  8. Troubleshooting
  9. Best Practices
  10. Advanced Topics

Overview

ProRT-IP WarScan provides comprehensive IPv6 support across all scanning modes, enabling network reconnaissance in dual-stack and IPv6-only environments. As of Sprint 5.1, all 6 scanner types support both IPv4 and IPv6 protocols.

Why IPv6 Matters

  • Adoption Growth: IPv6 deployment exceeded 40% globally as of 2024
  • Dual-Stack Networks: Most modern networks support both IPv4 and IPv6
  • IoT Explosion: Many IoT devices are IPv6-first or IPv6-only
  • Security: IPv6-only attack surfaces are often overlooked in security assessments
  • Future-Proofing: IPv4 address exhaustion makes IPv6 inevitable

ProRT-IP IPv6 Capabilities

  • 100% Scanner Coverage: All 6 scan types (TCP Connect, SYN, UDP, Stealth, Discovery, Decoy) support IPv6
  • Dual-Stack Resolution: Automatic hostname resolution to both IPv4 and IPv6
  • Protocol Preference: User-controlled preference for IPv4 vs IPv6 with fallback
  • CIDR Support: Full IPv6 CIDR notation (/64, /48, etc.) for subnet scanning
  • ICMPv6 & NDP: Native support for IPv6 discovery protocols
  • Performance Parity: IPv6 scans match or exceed IPv4 performance on modern hardware

Version History

Sprint Feature Status
4.21 TCP Connect IPv6, packet building ✅ Complete
5.1 Phase 1 TCP Connect + SYN IPv6 ✅ Complete
5.1 Phase 2 UDP + Stealth IPv6 ✅ Complete
5.1 Phase 3 Discovery + Decoy IPv6 ✅ Complete
5.1 Phase 4 CLI flags, cross-scanner tests, docs ✅ Complete

IPv6 Addressing Fundamentals

Address Types

1. Global Unicast Addresses (2000::/3)

Purpose: Internet-routable addresses (equivalent to public IPv4)

Format: 2001:db8:85a3::8a2e:370:7334

Examples:

# Scan a single global unicast address
prtip -sS -p 80,443 2001:4860:4860::8888

# Scan a global unicast /64 subnet
prtip -sS -p 80,443 2001:db8::/64

Characteristics:

  • Routable on the public internet
  • Typically assigned by ISPs or regional registries
  • First 48 bits: Global routing prefix
  • Next 16 bits: Subnet ID
  • Last 64 bits: Interface Identifier (IID)

2. Link-Local Addresses (fe80::/10)

Purpose: Communication within a single network segment (equivalent to APIPA in IPv4)

Format: fe80::1234:5678:90ab:cdef

Examples:

# Scan link-local address (requires interface specification on some platforms)
prtip -sS -p 80,443 fe80::1%eth0

# Scan link-local /64 subnet
prtip -sS -p 80,443 fe80::/64

Characteristics:

  • Not routable beyond local link
  • Auto-configured on all IPv6 interfaces
  • Always start with fe80::
  • Require zone ID (%eth0, %en0) on multi-homed systems
  • Common for device-to-device communication

3. Unique Local Addresses (ULA) (fc00::/7)

Purpose: Private IPv6 networks (equivalent to RFC 1918 in IPv4)

Format: fd00:1234:5678:90ab::1

Examples:

# Scan ULA address
prtip -sS -p 22,80,443 fd12:3456:789a:1::1

# Scan ULA /48 organization network
prtip -sS -p 22,80,443 fd00:1234:5678::/48

Characteristics:

  • Not routable on public internet
  • Unique within an organization
  • fc00::/7 range (fd00::/8 for locally assigned)
  • No central registry (like RFC 1918 addresses)

4. Multicast Addresses (ff00::/8)

Purpose: One-to-many communication

Format: ff02::1 (all nodes), ff02::2 (all routers)

Examples:

# Scan all nodes on local link (may not work due to firewall rules)
prtip -sS -p 80,443 ff02::1

# NDP solicited-node multicast (used by Discovery Engine)
# Format: ff02::1:ffXX:XXXX (last 24 bits of target address)

Characteristics:

  • ff01:: = Interface-local
  • ff02:: = Link-local
  • ff05:: = Site-local
  • ff0e:: = Global
  • Used for NDP, router discovery, mDNS, etc.

5. Loopback Address (::1/128)

Purpose: Local host testing (equivalent to 127.0.0.1 in IPv4)

Format: ::1

Examples:

# Scan IPv6 loopback (common for testing)
prtip -sS -p 80,443 ::1

# Test all scanners on loopback
prtip -sT -p 22,80,443,3306,5432 ::1
prtip -sS -p 22,80,443,3306,5432 ::1 --privileged
prtip -sU -p 53,161,123 ::1

Characteristics:

  • Single address (not a subnet like 127.0.0.0/8)
  • Always refers to local system
  • Cannot be assigned to physical interface
  • Ideal for scanner validation tests

6. Unspecified Address (::/128)

Purpose: Indicates absence of an address

Format: :: or 0:0:0:0:0:0:0:0

Characteristics:

  • Used before address assignment
  • Cannot be used as destination
  • Equivalent to 0.0.0.0 in IPv4

Address Notation

Full Format

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Compressed Format (Recommended)

2001:db8:85a3::8a2e:370:7334

Rules:

  • Leading zeros in each 16-bit block can be omitted: 0db8 → db8
  • Consecutive zero blocks can be replaced with :: (only once): 0000:0000 → ::
  • Use lowercase hexadecimal (convention, not requirement)

CIDR Notation

# /64 subnet (most common, 18.4 quintillion addresses)
2001:db8::/64

# /48 site (65,536 subnets)
2001:db8:1234::/48

# /32 ISP allocation
2001:db8::/32

# /128 single host
2001:db8::1/128

Common Prefix Lengths:

  • /128: Single host
  • /64: Single subnet (default for LANs)
  • /56: Small organization (256 subnets)
  • /48: Medium organization (65,536 subnets)
  • /32: Large organization or ISP

CLI Flags Reference

ProRT-IP provides Nmap-compatible CLI flags for IPv6 protocol control.

Primary Flags

-6 / --ipv6 - Force IPv6

Purpose: Prefer IPv6 addresses when resolving hostnames

Usage:

# Force IPv6 resolution for hostname
prtip -sS -6 -p 80,443 example.com

# Still accepts IPv6 literals
prtip -sS -6 -p 80,443 2001:db8::1

# Mixed targets (hostname resolved to IPv6, literal used as-is)
prtip -sS -6 -p 80,443 example.com 192.168.1.1 2001:db8::1

Behavior:

  • Hostnames resolve to AAAA records (IPv6)
  • IPv4 literals remain IPv4
  • IPv6 literals remain IPv6
  • Falls back to IPv4 if no AAAA record exists

Nmap Compatibility: ✅ Equivalent to nmap -6


-4 / --ipv4 - Force IPv4

Purpose: Prefer IPv4 addresses when resolving hostnames

Usage:

# Force IPv4 resolution for hostname
prtip -sS -4 -p 80,443 example.com

# Still accepts IPv4 literals
prtip -sS -4 -p 80,443 192.168.1.1

# Mixed targets (hostname resolved to IPv4, literal used as-is)
prtip -sS -4 -p 80,443 example.com 192.168.1.1 2001:db8::1

Behavior:

  • Hostnames resolve to A records (IPv4)
  • IPv4 literals remain IPv4
  • IPv6 literals remain IPv6
  • Falls back to IPv6 if no A record exists

Nmap Compatibility: ✅ Equivalent to nmap -4


Advanced Flags

--prefer-ipv6 - Prefer IPv6 with Fallback

Purpose: Use IPv6 when available, fall back to IPv4

Usage:

# Prefer IPv6, accept IPv4 fallback
prtip -sS --prefer-ipv6 -p 80,443 dual-stack.example.com

# Useful for dual-stack networks
prtip -sS --prefer-ipv6 -p 80,443 192.168.1.0/24 2001:db8::/64

Behavior:

  • Try AAAA record first
  • Fall back to A record if AAAA not found
  • IPv4/IPv6 literals always work
  • Graceful degradation for mixed environments

Use Case: Testing IPv6 connectivity before committing to IPv6-only


--prefer-ipv4 - Prefer IPv4 with Fallback

Purpose: Use IPv4 when available, fall back to IPv6

Usage:

# Prefer IPv4, accept IPv6 fallback
prtip -sS --prefer-ipv4 -p 80,443 dual-stack.example.com

# Default behavior for legacy networks
prtip -sS --prefer-ipv4 -p 80,443 10.0.0.0/8 fd00::/48

Behavior:

  • Try A record first
  • Fall back to AAAA record if A not found
  • IPv4/IPv6 literals always work
  • Legacy-friendly default

Use Case: Gradual IPv6 migration, prefer tested IPv4 infrastructure


--ipv6-only - Strict IPv6 Mode

Purpose: Reject all IPv4 addresses, IPv6 only

Usage:

# IPv6-only scan (error on IPv4 targets)
prtip -sS --ipv6-only -p 80,443 2001:db8::/64

# Error: IPv4 address provided in IPv6-only mode
prtip -sS --ipv6-only -p 80,443 192.168.1.1
# Error: Target 192.168.1.1 is IPv4, but --ipv6-only specified

Behavior:

  • IPv4 literals cause immediate error
  • Hostnames must resolve to AAAA records
  • A-only hostnames cause error
  • Enforces pure IPv6 scanning

Use Case: IPv6-only networks, security assessments requiring IPv6 purity


--ipv4-only - Strict IPv4 Mode

Purpose: Reject all IPv6 addresses, IPv4 only

Usage:

# IPv4-only scan (error on IPv6 targets)
prtip -sS --ipv4-only -p 80,443 192.168.1.0/24

# Error: IPv6 address provided in IPv4-only mode
prtip -sS --ipv4-only -p 80,443 2001:db8::1
# Error: Target 2001:db8::1 is IPv6, but --ipv4-only specified

Behavior:

  • IPv6 literals cause immediate error
  • Hostnames must resolve to A records
  • AAAA-only hostnames cause error
  • Enforces pure IPv4 scanning

Use Case: Legacy networks, IPv4-only security assessments


Flag Conflicts

Conflicting Flags (Error):

# Error: Cannot specify both -6 and -4
prtip -sS -6 -4 -p 80,443 example.com

# Error: Cannot specify both --ipv6-only and --prefer-ipv4
prtip -sS --ipv6-only --prefer-ipv4 -p 80,443 example.com

Valid Combinations:

# OK: -6 is just a preference, compatible with preference flags
prtip -sS -6 --prefer-ipv6 -p 80,443 example.com

# OK: Multiple targets, single protocol preference
prtip -sS -6 -p 80,443 host1.example.com host2.example.com

Scanner-Specific IPv6 Behavior

1. TCP Connect Scanner (-sT)

IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 1.1-1.5)

Description: Completes full TCP three-way handshake using standard OS TCP stack.

Usage:

# IPv6 single host
prtip -sT -p 80,443 2001:db8::1

# IPv6 CIDR
prtip -sT -p 22,80,443 2001:db8::/64

# Dual-stack target list
prtip -sT -p 80,443 192.168.1.1 2001:db8::1 example.com

Behavior:

  • Uses kernel TCP stack (no raw sockets required)
  • No privilege escalation needed
  • Automatic IPv4/IPv6 socket creation
  • RST sent on port closure (logged by target)
  • Full connection establishment

Performance:

  • IPv6 overhead: <5% vs IPv4 on modern hardware
  • Loopback: ~5ms for 6 ports
  • LAN: ~20-50ms depending on RTT
  • WAN: Comparable to IPv4 (dominated by RTT)

Port States:

  • Open: SYN → SYN+ACK → ACK completed
  • Closed: SYN → RST received
  • Filtered: SYN timed out (no response)

Example Output:

Scanning 2001:db8::1...
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
3306/tcp closed   mysql
8080/tcp filtered http-alt

2. SYN Scanner (-sS)

IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 1.6)

Description: Sends TCP SYN packets without completing handshake (half-open scanning).

Privileges: Requires root/administrator (raw socket access)

Usage:

# IPv6 SYN scan (requires sudo)
sudo prtip -sS -p 80,443 2001:db8::1

# IPv6 subnet scan
sudo prtip -sS -p 1-1000 2001:db8::/64

# Dual-stack with IPv6 preference
sudo prtip -sS -6 -p 80,443 example.com

Behavior:

  • Sends SYN, waits for SYN+ACK or RST
  • Sends RST to abort connection (no full handshake)
  • Stealthier than Connect scan (less logging)
  • Raw socket packet crafting required
  • Automatic checksum calculation for IPv6 pseudo-header

Performance:

  • IPv6 overhead: <10% vs IPv4 (raw socket overhead)
  • Loopback: ~10ms for 6 ports
  • LAN: ~15-40ms
  • WAN: Comparable to TCP Connect

Port States:

  • Open: SYN → SYN+ACK received
  • Closed: SYN → RST received
  • Filtered: SYN timed out (no response, or ICMP unreachable)

IPv6 Considerations:

  • IPv6 header: 40 bytes (vs 20 bytes IPv4)
  • TCP pseudo-header checksum includes IPv6 addresses
  • Extension headers supported but rare in practice
  • No fragmentation by default (Path MTU Discovery required)

Example Output:

Scanning 2001:db8::1 (SYN scan)...
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
3000/tcp filtered node
8080/tcp closed   http-proxy

3. UDP Scanner (-sU)

IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 2.1-2.3)

Description: Sends UDP datagrams with protocol-specific payloads, interprets responses.

Privileges: Requires root/administrator (raw socket for ICMP reception)

Usage:

# IPv6 UDP scan (common services)
sudo prtip -sU -p 53,123,161 2001:db8::1

# IPv6 subnet UDP scan (DNS servers)
sudo prtip -sU -p 53 2001:db8::/64

# Dual-stack DNS scan
sudo prtip -sU -p 53 192.168.1.0/24 2001:db8::/64

Behavior:

  • Sends UDP datagrams to target ports
  • Waits for UDP response or ICMPv6 Port Unreachable
  • Protocol-specific payloads for common services (DNS, SNMP, NTP, etc.)
  • Interprets ICMPv6 Type 1 Code 4 (Port Unreachable) as "closed"
  • Timeout indicates "open|filtered" (ambiguous state)

Performance:

  • Slower than TCP: 10-100x due to stateless nature
  • IPv6 overhead: <5% vs IPv4 (same protocol logic)
  • Timeout-dependent: Recommended T4 or T5 timing
  • Parallelism helps: Use high --max-concurrent values

Protocol Payloads (IPv6-compatible):

  • DNS (53): Query for version.bind TXT record
  • SNMP (161): GetRequest for sysDescr.0
  • NTP (123): Mode 3 client request
  • mDNS (5353): PTR query for _services._dns-sd._udp.local
  • DHCPv6 (547): SOLICIT message
  • NetBIOS (137): Name query (IPv4 only, legacy)

Port States:

  • Open: UDP response received
  • Closed: ICMPv6 Port Unreachable received
  • Open|Filtered: No response (timeout)
  • Filtered: ICMPv6 Administratively Prohibited

ICMPv6 Response Handling:

  • Type 1, Code 4: Port Unreachable (closed)
  • Type 1, Code 1: Communication Administratively Prohibited (filtered)
  • Type 1, Code 3: Address Unreachable (host down)
  • Type 3: Time Exceeded (filtered, deep firewall)

Example Output:

Scanning 2001:db8::1 (UDP scan)...
PORT     STATE          SERVICE
53/udp   open           dns
123/udp  open|filtered  ntp
161/udp  open           snmp
162/udp  open|filtered  snmptrap
514/udp  closed         syslog

4. Stealth Scanners (-sF, -sN, -sX, -sA)

IPv6 Support: ✅ Full dual-stack (Sprint 5.1 Phase 2.4-2.7)

Description: Send TCP packets with unusual flag combinations to evade firewalls.

Privileges: Requires root/administrator (raw socket access)

FIN Scan (-sF)

Usage:

# IPv6 FIN scan
sudo prtip -sF -p 80,443 2001:db8::1

# IPv6 subnet FIN scan
sudo prtip -sF -p 1-1000 2001:db8::/64

Behavior:

  • Sends TCP packet with FIN flag only
  • Open ports: No response (FIN ignored)
  • Closed ports: RST response
  • Evades simple stateful firewalls

NULL Scan (-sN)

Usage:

# IPv6 NULL scan
sudo prtip -sN -p 80,443 2001:db8::1

Behavior:

  • Sends TCP packet with no flags set
  • Open ports: No response (NULL packet ignored)
  • Closed ports: RST response
  • More stealthy than FIN scan

Xmas Scan (-sX)

Usage:

# IPv6 Xmas scan
sudo prtip -sX -p 80,443 2001:db8::1

Behavior:

  • Sends TCP packet with FIN+PSH+URG flags ("lit up like a Christmas tree")
  • Open ports: No response
  • Closed ports: RST response
  • Signature is easily detectable by modern IDS

ACK Scan (-sA)

Usage:

# IPv6 ACK scan (firewall detection)
sudo prtip -sA -p 80,443 2001:db8::1

Behavior:

  • Sends TCP packet with ACK flag only
  • Purpose: Firewall detection, not port state
  • Unfiltered: RST response (regardless of port state)
  • Filtered: No response or ICMP unreachable

Port States (Stealth Scans):

  • Open|Filtered: No response (timeout)
  • Closed: RST received
  • Filtered: ICMP unreachable or persistent timeout

IPv6 Considerations:

  • IPv6 firewalls may behave differently than IPv4
  • Stateful firewalls often block these scans
  • Windows systems don't follow RFC 793 for closed ports (send RST for NULL/FIN/Xmas)
  • Many modern firewalls detect and block stealth scans

Example Output:

Scanning 2001:db8::1 (FIN scan)...
PORT     STATE          SERVICE
22/tcp   open|filtered  ssh
80/tcp   open|filtered  http
443/tcp  closed         https
3306/tcp open|filtered  mysql

5. Discovery Engine (--discovery)

IPv6 Support: ✅ Full ICMPv6 & NDP (Sprint 5.1 Phase 3.1-3.2)

Description: Host discovery using ICMP Echo and NDP Neighbor Discovery.

Privileges: Requires root/administrator (raw ICMP socket)

Usage:

# IPv6 host discovery (ICMP Echo + NDP)
sudo prtip --discovery 2001:db8::/64

# IPv4 + IPv6 dual-stack discovery
sudo prtip --discovery 192.168.1.0/24 2001:db8::/64

# Discovery with port scan on live hosts
sudo prtip --discovery --discovery-then-scan -p 80,443 2001:db8::/64

Protocols:

ICMPv6 Echo Request/Reply

  • Type 128: Echo Request (IPv6 equivalent of ICMP Type 8)
  • Type 129: Echo Reply (IPv6 equivalent of ICMP Type 0)
  • Purpose: Basic host liveness check
  • Behavior: Target responds with Echo Reply if reachable

NDP Neighbor Discovery (RFC 4861)

  • Type 135: Neighbor Solicitation (NS)
  • Type 136: Neighbor Advertisement (NA)
  • Purpose: Link-layer address resolution + host discovery
  • Target: Solicited-node multicast address (ff02::1:ffXX:XXXX)
  • Efficiency: More reliable than Echo on local links

Solicited-Node Multicast Addressing:

Target Address: 2001:db8::1234:5678
Solicited-Node: ff02::1:ff34:5678
                          ^^^^^^^^
                          Last 24 bits of target address

Performance:

  • ICMPv6 Echo: ~20-50ms per host
  • NDP: ~10-30ms on local link (faster than Echo)
  • Combined: ~50-100ms per host (both protocols)
  • Parallelism: Scales linearly with CPU cores

Discovery Strategies:

  • ICMPv6 Echo: Works across routers, blocked by some firewalls
  • NDP: Local link only, rarely blocked (required for IPv6)
  • Combined: Use both for maximum coverage

Example Output:

Running IPv6 discovery on 2001:db8::/64...
Host: 2001:db8::1 (ICMP Echo Reply)
Host: 2001:db8::2 (NDP Neighbor Advertisement)
Host: 2001:db8::10 (ICMP Echo Reply)
Host: 2001:db8::20 (NDP Neighbor Advertisement)

Discovery complete: 4 hosts alive

6. Decoy Scanner (-D, --decoys)

IPv6 Support: ✅ Full dual-stack with /64-aware generation (Sprint 5.1 Phase 3.3-3.4)

Description: Obscure scan source by generating traffic from multiple decoy IPs.

Privileges: Requires root/administrator (source address spoofing)

Usage:

# IPv6 decoy scan with 5 random decoys
sudo prtip -sS -D RND:5 -p 80,443 2001:db8::1

# IPv6 decoy scan with manual decoy list
sudo prtip -sS -D 2001:db8::10,2001:db8::20,ME,2001:db8::30 -p 80,443 2001:db8::1

# IPv6 subnet scan with decoys
sudo prtip -sS -D RND:10 -p 80,443 2001:db8::/64

Behavior:

  • Sends scan packets from real IP + multiple decoy IPs
  • Decoy IPs are spoofed (source address manipulation)
  • Target sees traffic from N+1 sources
  • Obscures true source in logs
  • ME keyword specifies position of real IP in decoy list

IPv6 Decoy Generation:

  • Random /64 IIDs: Generates random Interface Identifiers within target's /64 subnet
  • Subnet-Aware: Uses target's network prefix + random 64-bit IID
  • Reserved Address Filtering: Avoids 7 reserved IPv6 ranges:
    1. Loopback (::1/128)
    2. Multicast (ff00::/8)
    3. Link-local (fe80::/10)
    4. ULA (fc00::/7)
    5. Documentation (2001:db8::/32)
    6. IPv4-mapped (::ffff:0:0/96)
    7. Unspecified (::/128)

IPv6 /64 Rationale:

  • Most IPv6 subnets are /64 (65,536 networks, 18.4 quintillion hosts)
  • Decoys within same /64 are more believable (same network segment)
  • SLAAC (Stateless Address Autoconfiguration) uses /64 boundaries
  • NDP operates within /64 link-local scope

Decoy Strategies:

  • RND:N: N random decoys (recommended: 5-10)
  • Manual List: Specify exact decoy IPs
  • ME Position: Beginning (detectable), Middle (recommended), End (detectable)

Performance:

  • Overhead: 2-5% per decoy (packet crafting + transmission)
  • 5 decoys: ~10-25% total overhead
  • 10 decoys: ~20-50% total overhead
  • Parallelism recommended for large decoy counts

Example Output:

Scanning 2001:db8::1 with 5 decoys...
Decoys: 2001:db8::a3f1:2b4c:9d8e:7f61
        2001:db8::5e92:8c3a:4b7d:1f05
        2001:db8::c7b4:6e1f:8a92:3d54  (REAL)
        2001:db8::2d8f:9b6c:7e4a:5c91
        2001:db8::8a1e:3c5b:6d7f:9e20

PORT     STATE    SERVICE
80/tcp   open     http
443/tcp  open     https

Limitations:

  • Egress filtering may block spoofed packets
  • Some networks drop packets with invalid source IPs
  • Return packets only reach real IP (decoys don't receive responses)
  • Modern IDS can correlate timing patterns

Protocol Details

ICMPv6 Message Types

ProRT-IP implements 5 core ICMPv6 message types for scanning:

Type Name Purpose Scanner
1 Destination Unreachable Port closed indication UDP, Stealth
3 Time Exceeded Firewall/router drop All
128 Echo Request Host discovery Discovery
129 Echo Reply Host alive Discovery
135 Neighbor Solicitation NDP resolution Discovery
136 Neighbor Advertisement NDP response Discovery

Type 1: Destination Unreachable

Codes:

  • 0: No route to destination
  • 1: Communication administratively prohibited (filtered)
  • 3: Address unreachable (host down)
  • 4: Port unreachable (closed port)

Usage in ProRT-IP:

// UDP scanner interprets Code 4 as "closed"
if icmpv6_type == 1 && icmpv6_code == 4 {
    port_state = PortState::Closed;
}

// Code 1 indicates firewall filtering
if icmpv6_type == 1 && icmpv6_code == 1 {
    port_state = PortState::Filtered;
}

Type 128/129: Echo Request/Reply

Format:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Identifier          |        Sequence Number        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Data ...
+-+-+-+-+-+-

ProRT-IP Implementation:

  • Identifier: Random 16-bit value (scan correlation)
  • Sequence Number: Incremented per request
  • Data: Timestamp for RTT measurement
  • Checksum: ICMPv6 pseudo-header (includes IPv6 src/dst)

Type 135/136: Neighbor Solicitation/Advertisement

Solicited-Node Multicast:

Target: 2001:db8::1234:5678:9abc:def0
Multicast: ff02::1:ff9a:bcde:f0

ProRT-IP NDP Flow:

  1. Build NS packet with target IPv6 address
  2. Calculate solicited-node multicast address (ff02::1:ffXX:XXXX)
  3. Send to multicast address (all nodes on link process)
  4. Wait for NA response with target's link-layer address
  5. Mark host as alive if NA received

Performance:

  • NDP is faster than Echo on local links (~10-30ms vs 20-50ms)
  • Bypasses ICMP filtering (NDP required for IPv6 operation)
  • Only works within L2 segment (not routable)

TCP Over IPv6

IPv6 Pseudo-Header for TCP Checksum

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                                                               +
|                                                               |
+                         Source Address                        +
|                                                               |
+                                                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                                                               +
|                                                               |
+                      Destination Address                      +
|                                                               |
+                                                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                   TCP Length                  |     Zeros     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Key Differences from IPv4:

  • IPv6 addresses: 128 bits (16 bytes) each
  • No IP header checksum (delegated to link layer)
  • TCP checksum includes full IPv6 addresses
  • Pseudo-header is 40 bytes (vs 12 bytes IPv4)

ProRT-IP Implementation:

fn calculate_tcp_checksum_ipv6(
    src: Ipv6Addr,
    dst: Ipv6Addr,
    tcp_segment: &[u8],
) -> u16 {
    let mut sum: u32 = 0;

    // Add source address (16 bytes)
    for chunk in src.octets().chunks(2) {
        sum += u16::from_be_bytes([chunk[0], chunk[1]]) as u32;
    }

    // Add destination address (16 bytes)
    for chunk in dst.octets().chunks(2) {
        sum += u16::from_be_bytes([chunk[0], chunk[1]]) as u32;
    }

    // Add TCP length (32-bit)
    sum += (tcp_segment.len() as u32) >> 16;
    sum += (tcp_segment.len() as u32) & 0xFFFF;

    // Add protocol (TCP = 6)
    sum += 6;

    // Add TCP segment
    for chunk in tcp_segment.chunks(2) {
        let word = if chunk.len() == 2 {
            u16::from_be_bytes([chunk[0], chunk[1]])
        } else {
            u16::from_be_bytes([chunk[0], 0])
        };
        sum += word as u32;
    }

    // Fold 32-bit sum to 16 bits
    while (sum >> 16) > 0 {
        sum = (sum & 0xFFFF) + (sum >> 16);
    }

    !sum as u16
}

UDP Over IPv6

Checksum Calculation:

  • Same pseudo-header format as TCP
  • UDP checksum is mandatory in IPv6 (optional in IPv4)
  • Zero checksum is invalid in IPv6 UDP

ProRT-IP UDP Implementation:

  • Builds IPv6 UDP packets with correct checksums
  • Protocol-specific payloads for common services
  • Interprets ICMPv6 Port Unreachable as "closed"

Dual-Stack Packet Building

ProRT-IP uses runtime dispatch for IPv4/IPv6:

pub async fn send_tcp_syn(
    socket: &RawSocket,
    target: SocketAddr,
    port: u16,
) -> Result<()> {
    match target.ip() {
        IpAddr::V4(ipv4) => {
            let packet = build_tcp_syn_ipv4(ipv4, port)?;
            socket.send(&packet).await?;
        }
        IpAddr::V6(ipv6) => {
            let packet = build_tcp_syn_ipv6(ipv6, port)?;
            socket.send(&packet).await?;
        }
    }
    Ok(())
}

Benefits:

  • Zero code duplication
  • Type safety (IpAddr enum)
  • Automatic protocol selection
  • Consistent API across IPv4/IPv6

Performance Characteristics

IPv4 vs IPv6 Comparison

Metric IPv4 IPv6 Overhead
Header Size 20 bytes 40 bytes +100%
Checksum Calculation IP + TCP/UDP TCP/UDP only -50% CPU
Address Resolution ARP (broadcast) NDP (multicast) -90% traffic
Loopback Latency ~5ms ~5-7ms +0-40%
LAN Latency ~20ms ~20-25ms +0-25%
WAN Latency ~50ms ~50-60ms +0-20%
Throughput (1Gbps) 95 Mbps 92 Mbps -3%

Conclusion: IPv6 overhead is negligible on modern hardware (<5-10% in most scenarios).


NDP Efficiency on /64 Subnets

Problem: Traditional host discovery scales poorly on /64 (18.4 quintillion addresses)

ProRT-IP Solution:

  1. Targeted Scanning: Only scan known hosts or ranges
  2. NDP Multicast: Solicited-node multicast is O(1) per host
  3. Parallel Discovery: Multi-threaded NDP for 100+ hosts/second

Comparison:

# IPv4 /24 subnet scan (256 hosts, 2 seconds)
prtip --discovery 192.168.1.0/24

# IPv6 /64 targeted scan (10 known hosts, 1 second)
prtip --discovery 2001:db8::1,2001:db8::2,...,2001:db8::10

# IPv6 /64 full scan (18.4 quintillion hosts, NEVER completes)
# DO NOT RUN: prtip --discovery 2001:db8::/64

Best Practices:

  • Use host lists for /64 scans
  • Rely on NDP for local discovery
  • Combine with DHCPv6 logs or router NDP cache

Timeout Recommendations

Scan Type IPv4 Default IPv6 Recommended Reason
TCP Connect 2000ms 2500ms Slightly higher RTT
SYN Scan 1000ms 1500ms ICMPv6 processing delay
UDP Scan 3000ms 3500ms ICMPv6 unreachable path
Discovery 500ms 750ms NDP multicast delay
Stealth 2000ms 2500ms Firewall processing

Timing Template Adjustments:

# T3 (Normal) - Increased timeouts for IPv6
prtip -sS -T3 -p 80,443 2001:db8::1  # 2.5s timeout

# T4 (Aggressive) - Default IPv4 timeouts OK
prtip -sS -T4 -p 80,443 2001:db8::1  # 1.5s timeout

# T5 (Insane) - Minimal timeout, IPv6 may miss responses
prtip -sS -T5 -p 80,443 2001:db8::1  # 500ms timeout (risky)

Common Use Cases

1. Scanning IPv6 Loopback (::1)

Purpose: Local service enumeration, scanner testing

Usage:

# TCP Connect scan (no privileges)
prtip -sT -p 22,80,443,3306,5432 ::1

# SYN scan (requires root)
sudo prtip -sS -p 1-1000 ::1

# Service detection
prtip -sT -sV -p 80,443 ::1

Expected Output:

Scanning ::1 (IPv6 loopback)...
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 8.9p1
80/tcp   open   http     nginx 1.18.0
443/tcp  open   https    nginx 1.18.0 (TLS 1.3)
3306/tcp open   mysql    MySQL 8.0.30
5432/tcp open   postgres PostgreSQL 14.5

2. Scanning Link-Local Addresses (fe80::/10)

Purpose: Local network device discovery

Usage:

# Link-local with interface specification (macOS/Linux)
prtip -sS -p 80,443 fe80::1%eth0

# Link-local subnet scan (requires zone ID)
prtip -sS -p 80,443 fe80::/64%eth0

# Discovery on link-local (NDP preferred)
sudo prtip --discovery fe80::/64%eth0

Platform-Specific:

  • Linux: %eth0, %ens33, %wlan0
  • macOS: %en0, %en1, %bridge0
  • Windows: %12, %3 (interface index)
  • FreeBSD: %em0, %re0

Example Output:

Scanning fe80::/64%eth0 (link-local discovery)...
Host: fe80::1%eth0 (Router)
Host: fe80::a23f:8e1c:7d4b:92e0%eth0 (NDP Advertisement)
Host: fe80::5e8a:3c9f:1b7d:4e60%eth0 (NDP Advertisement)

3 hosts alive on link-local segment

3. Scanning Global Unicast Addresses (2000::/3)

Purpose: Internet-facing service enumeration

Usage:

# Single global unicast host
prtip -sS -p 80,443 2001:4860:4860::8888

# Multiple hosts
prtip -sS -p 80,443 2001:db8::1 2606:2800:220:1:248:1893:25c8:1946

# With service detection
prtip -sS -sV -p 80,443 2001:4860:4860::8888

Example Output:

Scanning 2001:4860:4860::8888 (Google Public DNS)...
PORT     STATE  SERVICE  VERSION
53/tcp   open   dns      Google DNS
443/tcp  open   https    Google DNS over HTTPS (DoH)

4. Scanning IPv6 CIDR Notation (2001:db8::/64)

Purpose: Subnet enumeration (targeted, not full /64 sweep)

Usage:

# Scan first 256 addresses in /64 subnet
prtip -sS -p 80,443 2001:db8::0/120  # /120 = 256 addresses

# Scan specific host range
prtip -sS -p 80,443 2001:db8::1-2001:db8::ff

# Discovery then port scan (efficient)
sudo prtip --discovery --discovery-then-scan -p 80,443 2001:db8::0/120

CIDR Guidelines:

  • /120: 256 hosts (manageable)
  • /112: 65,536 hosts (slow but feasible)
  • /64: 18.4 quintillion hosts (NEVER full scan)

Example Output:

Scanning 2001:db8::0/120 (256 hosts)...
PORT     STATE  SERVICE
80/tcp   open   http     (10 hosts)
443/tcp  open   https    (8 hosts)
22/tcp   open   ssh      (15 hosts)

25 hosts responsive, 40 open ports found

5. Dual-Stack Hosts with Protocol Preference

Purpose: Test both IPv4 and IPv6 connectivity

Usage:

# Prefer IPv6, fallback to IPv4
prtip -sS --prefer-ipv6 -p 80,443 example.com

# Prefer IPv4, fallback to IPv6
prtip -sS --prefer-ipv4 -p 80,443 example.com

# Scan both protocols explicitly
prtip -sS -p 80,443 example.com 2606:2800:220:1:248:1893:25c8:1946

Example Output:

Resolving example.com (prefer IPv6)...
IPv6: 2606:2800:220:1:248:1893:25c8:1946
IPv4: 93.184.216.34
Using: 2606:2800:220:1:248:1893:25c8:1946 (IPv6)

Scanning 2606:2800:220:1:248:1893:25c8:1946...
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https

6. Mixed IPv4/IPv6 Target Lists

Purpose: Heterogeneous network scanning

Usage:

# Mixed targets (auto-detect protocol)
prtip -sS -p 80,443 \
    192.168.1.1 \
    2001:db8::1 \
    example.com \
    10.0.0.0/24 \
    2001:db8::/120

# With protocol preference for hostnames
prtip -sS -6 -p 80,443 \
    192.168.1.1 \      # IPv4 literal (unchanged)
    example.com \       # Resolves to IPv6
    2001:db8::1         # IPv6 literal (unchanged)

Example Output:

Scanning 3 targets (mixed IPv4/IPv6)...

192.168.1.1 (IPv4):
  80/tcp   open   http
  443/tcp  open   https

2001:db8::1 (IPv6):
  22/tcp   open   ssh
  80/tcp   open   http

example.com → 2606:2800:220:1:248:1893:25c8:1946 (IPv6):
  80/tcp   open   http
  443/tcp  open   https

Summary: 3 hosts, 7 open ports

7. IPv6 Service Detection

Purpose: Identify services and versions on IPv6 hosts

Usage:

# Service detection on IPv6
prtip -sT -sV -p 22,80,443 2001:db8::1

# Aggressive scan (OS + Service + Scripts)
prtip -sS -A -p- 2001:db8::1

# High intensity service detection
prtip -sT -sV --version-intensity 9 -p 80,443 2001:db8::1

Example Output:

Scanning 2001:db8::1 with service detection...
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 9.0p1 Ubuntu 1ubuntu1 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http     Apache httpd 2.4.54 ((Ubuntu))
443/tcp  open   https    Apache httpd 2.4.54 ((Ubuntu)) TLS 1.3
3000/tcp open   node     Node.js Express 4.18.2
5432/tcp open   postgres PostgreSQL 15.1

OS Detection: Linux 5.15-6.0

8. IPv6 Stealth Scanning

Purpose: Evade firewalls and IDS

Usage:

# FIN scan with timing control
sudo prtip -sF -T2 -p 80,443 2001:db8::1

# NULL scan with decoys
sudo prtip -sN -D RND:5 -p 80,443 2001:db8::1

# Xmas scan with fragmentation (Phase 5 planned)
# sudo prtip -sX -f --mtu 1280 -p 80,443 2001:db8::1

Example Output:

Scanning 2001:db8::1 (FIN scan, stealth mode)...
PORT     STATE          SERVICE
22/tcp   open|filtered  ssh
80/tcp   open|filtered  http
443/tcp  closed         https
3000/tcp open|filtered  node
8080/tcp closed         http-proxy

9. IPv6 Decoy Scanning

Purpose: Obscure scan origin

Usage:

# Random decoys in target's /64 subnet
sudo prtip -sS -D RND:10 -p 80,443 2001:db8::1

# Manual decoy list with ME positioning
sudo prtip -sS -D 2001:db8::10,2001:db8::20,ME,2001:db8::30 \
    -p 80,443 2001:db8::1

Example Output:

Scanning 2001:db8::1 with 10 decoys...
Decoys (in /64 subnet):
  2001:db8::a3f1:2b4c:9d8e:7f61
  2001:db8::5e92:8c3a:4b7d:1f05
  2001:db8::c7b4:6e1f:8a92:3d54
  2001:db8::9f2e:7a5c:4b8d:1e03
  2001:db8::4d7f:8e1a:6c9b:2f50  (ME - REAL IP)
  2001:db8::2d8f:9b6c:7e4a:5c91
  2001:db8::8a1e:3c5b:6d7f:9e20
  2001:db8::6b9f:2e7d:5a8c:1f04
  2001:db8::1c5e:9a3f:8d7b:4e60
  2001:db8::7e4a:3b9c:6d8f:2e10

PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https

10. IPv6 Hostname Resolution

Purpose: Resolve dual-stack hostnames to IPv4/IPv6

Usage:

# Default: Prefer IPv4
prtip -sS -p 80,443 example.com

# Force IPv6 (prefer AAAA records)
prtip -sS -6 -p 80,443 example.com

# Force IPv4 (prefer A records)
prtip -sS -4 -p 80,443 example.com

# Show DNS resolution details
prtip -sS -6 -vvv -p 80,443 example.com

Example Output (with -vvv):

[DEBUG] Resolving example.com (prefer IPv6)...
[DEBUG] DNS query: example.com AAAA
[DEBUG] DNS response: 2606:2800:220:1:248:1893:25c8:1946
[DEBUG] DNS query: example.com A
[DEBUG] DNS response: 93.184.216.34
[INFO] Selected: 2606:2800:220:1:248:1893:25c8:1946 (IPv6)

Scanning 2606:2800:220:1:248:1893:25c8:1946...
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https

Troubleshooting

Common Issues

1. "IPv6 not supported" Error

Error Message:

Error: IPv6 not supported on this interface

Causes:

  • IPv6 disabled in OS
  • Network interface has no IPv6 address
  • IPv6 kernel module not loaded

Solutions:

# Check IPv6 status (Linux)
ip -6 addr show
sysctl net.ipv6.conf.all.disable_ipv6

# Enable IPv6 (Linux)
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=0

# Check IPv6 status (macOS)
ifconfig | grep inet6

# Enable IPv6 (macOS)
sudo networksetup -setv6automatic Wi-Fi

# Check IPv6 status (Windows)
netsh interface ipv6 show config

# Enable IPv6 (Windows)
netsh interface ipv6 install

2. NDP Timeouts on Local Link

Error Message:

Warning: NDP timeout for fe80::1%eth0

Causes:

  • Wrong interface specified
  • Firewall blocking ICMPv6 Type 135/136
  • Host not on local link

Solutions:

# List all interfaces
ip link show  # Linux
ifconfig -a   # macOS/BSD
ipconfig /all # Windows

# Verify link-local addresses on interface
ip -6 addr show eth0  # Linux
ifconfig en0         # macOS

# Test NDP manually (Linux)
ping6 -c 1 -I eth0 ff02::1  # All nodes multicast

# Disable IPv6 firewall temporarily (TESTING ONLY)
sudo ip6tables -F  # Linux
sudo pfctl -d     # macOS

3. ICMPv6 Port Unreachable Not Received (UDP Scan)

Symptom: All UDP ports show as "open|filtered"

Causes:

  • Firewall dropping ICMPv6 unreachable messages
  • Rate limiting on ICMPv6 responses
  • Long network path with packet loss

Solutions:

# Increase timeout (allow more time for ICMPv6)
prtip -sU --timeout 5000 -p 53,123,161 2001:db8::1

# Use aggressive timing (faster retries)
prtip -sU -T5 -p 53,123,161 2001:db8::1

# Target known-closed ports to verify ICMPv6 unreachable
prtip -sU -p 9999 2001:db8::1  # Should be "closed" if ICMPv6 works

4. Link-Local Scope Issues

Error Message:

Error: Cannot connect to fe80::1: Invalid argument

Cause: Missing zone ID (interface specification)

Solution:

# WRONG: No zone ID
prtip -sS -p 80,443 fe80::1

# CORRECT: With zone ID
prtip -sS -p 80,443 fe80::1%eth0  # Linux
prtip -sS -p 80,443 fe80::1%en0   # macOS
prtip -sS -p 80,443 fe80::1%12    # Windows (interface index)

5. Firewall Blocking ICMPv6 Echo

Symptom: No response to ICMPv6 Echo (Type 128), but NDP works

Cause: Firewall allows NDP (required for IPv6) but blocks ICMP Echo

Solutions:

# Use NDP-only discovery (more reliable on local links)
sudo prtip --discovery --ndp-only 2001:db8::/120

# Check firewall rules (Linux)
sudo ip6tables -L -n | grep icmpv6

# Temporarily allow ICMPv6 Echo (TESTING ONLY)
sudo ip6tables -I INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
sudo ip6tables -I OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

Platform-Specific Issues

Linux

Issue: Permission denied for raw sockets

Solution:

# Use sudo for SYN/UDP/Stealth/Discovery scans
sudo prtip -sS -p 80,443 2001:db8::1

# OR: Grant CAP_NET_RAW capability (persistent)
sudo setcap cap_net_raw=eip /path/to/prtip

macOS

Issue: "Operation not permitted" when sending raw packets

Solution:

# Use sudo (required on macOS)
sudo prtip -sS -p 80,443 2001:db8::1

# Verify BPF device permissions
ls -l /dev/bpf*
# Should show: crw------- root wheel

# Grant temporary BPF access (ChmodBPF)
# https://github.com/wireshark/wireshark/blob/master/ChmodBPF/

Windows

Issue: "Npcap not installed" error

Solution:

# Install Npcap from https://npcap.com/
# Download and run installer with "WinPcap API-compatible" option

# Verify Npcap installation
sc query npcap
# Should show: STATE: RUNNING

# Run as Administrator (required for raw sockets)
# Right-click ProRT-IP → Run as Administrator

FreeBSD

Issue: IPv6 raw socket permission denied

Solution:

# Use sudo or doas
sudo prtip -sS -p 80,443 2001:db8::1

# OR: Add user to wheel group
sudo pw groupmod wheel -m username

# Verify IPv6 enabled
sysctl net.inet6.ip6.forwarding

Best Practices

1. When to Use IPv6 vs IPv4

Use IPv6 When:

  • Target network is dual-stack or IPv6-only
  • Testing IPv6-specific vulnerabilities
  • Assessing IPv6 security posture (often overlooked)
  • Future-proofing network assessments
  • ISP or cloud provider is IPv6-native

Use IPv4 When:

  • Target network is IPv4-only (legacy)
  • IPv6 firewall rules are too restrictive
  • Faster scan required (slight performance advantage on some networks)

Use Both When:

  • Comprehensive security assessment
  • Dual-stack network with different firewall rules per protocol
  • Comparing IPv4 vs IPv6 service availability

2. Protocol Preference Strategies

Strategy 1: Default (Prefer IPv4)

# No flags = prefer IPv4, fallback to IPv6
prtip -sS -p 80,443 example.com

Use Case: General scanning, legacy networks


Strategy 2: Prefer IPv6

# Prefer IPv6, fallback to IPv4
prtip -sS --prefer-ipv6 -p 80,443 example.com

Use Case: Modern networks, cloud environments, ISP testing


Strategy 3: Force IPv6 Only

# Strict IPv6 mode (error on IPv4)
prtip -sS --ipv6-only -p 80,443 2001:db8::/120

Use Case: IPv6-only networks, IPv6 security audits


Strategy 4: Scan Both Protocols

# Explicit IPv4 + IPv6 (no fallback, both required)
prtip -sS -p 80,443 example.com \
    $(dig +short example.com A) \
    $(dig +short example.com AAAA)

Use Case: Compare IPv4 vs IPv6 service parity


3. Performance Optimization

Use Aggressive Timing for IPv6

# T4 or T5 for IPv6 (higher parallelism)
prtip -sS -T4 -p 80,443 2001:db8::/120  # Aggressive
prtip -sS -T5 -p 80,443 2001:db8::/120  # Insane (risky)

Rationale: IPv6 has slightly higher latency, aggressive timing compensates


Increase Parallelism for Large Scans

# High concurrency for /120 subnet (256 hosts)
prtip -sS --max-concurrent 500 -p 80,443 2001:db8::/120

# Very high for /112 subnet (65K hosts, if feasible)
prtip -sS --max-concurrent 1000 -p 80,443 2001:db8::/112

Rationale: IPv6 benefits from higher parallelism due to larger address space


Use NDP for Local Discovery

# NDP is 2-3x faster than ICMP Echo on local links
sudo prtip --discovery --ndp-only fe80::/64%eth0

Rationale: NDP multicast is more efficient than ICMP unicast on L2 segments


4. Security Considerations

IPv6-Specific Attack Surfaces

Router Advertisements (RA) Spoofing:

  • Attackers can advertise rogue routers
  • Use RA Guard on switches
  • Monitor for unexpected RAs

NDP Exhaustion:

  • Attackers can flood NDP cache
  • Implement NDP rate limiting
  • Use ND Inspection (IPv6 equivalent of ARP Inspection)

Extension Header Abuse:

  • Fragmentation attacks (IPv6 fragmentation is end-to-end)
  • Use firewalls to drop packets with excessive extension headers

Tunneling (6to4, Teredo):

  • IPv6-in-IPv4 tunnels can bypass firewalls
  • Scan for tunnel endpoints (UDP port 3544 for Teredo)

Scanning Etiquette

Rate Limiting:

# Polite scan (T2, low rate)
prtip -sS -T2 --max-rate 100 -p 80,443 2001:db8::/120

Avoid Full /64 Scans:

# NEVER: Full /64 scan (18.4 quintillion addresses)
# prtip -sS -p 80,443 2001:db8::/64

# GOOD: Targeted /120 (256 addresses)
prtip -sS -p 80,443 2001:db8::/120

Respect Firewall Responses:

  • ICMPv6 Administratively Prohibited = "filtered" (stop scanning)
  • No response = "open|filtered" (timeout indicates firewall)

Advanced Topics

1. IPv6 Fragmentation

Difference from IPv4:

  • IPv6 routers do NOT fragment packets (only sender can fragment)
  • Path MTU Discovery (PMTUD) is mandatory
  • Minimum MTU: 1280 bytes (vs 68 bytes IPv4)

ProRT-IP Implementation (Phase 5 Planned):

# Fragment packets to evade firewalls (NOT YET IMPLEMENTED)
# sudo prtip -sS -f --mtu 1280 -p 80,443 2001:db8::1

Fragmentation Header:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Next Header  |   Reserved    |      Fragment Offset    |Res|M|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                         Identification                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

  • Next Header: Protocol after reassembly (TCP = 6, UDP = 17)
  • Fragment Offset: 13 bits (offset in 8-byte units)
  • M flag: More fragments (1 = more, 0 = last)
  • Identification: 32 bits (unique per source/destination/packet)

2. Extension Headers

Common Extension Headers:

  1. Hop-by-Hop Options (0)
  2. Routing (43)
  3. Fragment (44)
  4. Destination Options (60)
  5. Authentication Header (AH) (51)
  6. Encapsulating Security Payload (ESP) (50)

Processing Order:

IPv6 Header
  → Hop-by-Hop Options
    → Routing
      → Fragment
        → Destination Options
          → TCP/UDP/ICMP

ProRT-IP Support:

  • Current: Hop-by-Hop, Routing, Fragment, Destination Options (parsing only)
  • Phase 5: Custom extension header insertion for evasion

3. Privacy Addresses (RFC 4941)

Purpose: Prevent address-based tracking

Mechanism:

  • Temporary addresses generated from random Interface IDs
  • Change every 1-7 days (configurable)
  • Original address (derived from MAC) still used for servers

ProRT-IP Considerations:

# Privacy address may change during scan
# Use stable address for consistency
prtip -sS -p 80,443 2001:db8::1234:5678:90ab:cdef  # Stable

# Privacy address (may change)
prtip -sS -p 80,443 2001:db8::a3f1:2b4c:9d8e:7f61  # Temporary

Detecting Privacy Addresses:

  • Random IID (last 64 bits)
  • No MAC-based pattern (EUI-64)
  • Short-lived in DNS cache

4. Solicited-Node Multicast Addressing

Purpose: Efficient neighbor resolution (NDP)

Format:

Target Address:  2001:0db8:0000:0000:1234:5678:9abc:def0
Solicited-Node:  ff02:0000:0000:0000:0000:0001:ff9a:bcdef0
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                 ff02::1:ff + last 24 bits of target

Algorithm:

fn solicited_node_multicast(target: Ipv6Addr) -> Ipv6Addr {
    let octets = target.octets();
    let last_24_bits = [octets[13], octets[14], octets[15]];

    Ipv6Addr::new(
        0xff02, 0, 0, 0,
        0, 1,
        0xff00 | (last_24_bits[0] as u16),
        ((last_24_bits[1] as u16) << 8) | (last_24_bits[2] as u16),
    )
}

ProRT-IP Usage:

  • Discovery Engine automatically calculates solicited-node multicast
  • Sends NS to multicast address
  • All nodes on link process NS, target responds with NA

5. DHCPv6 vs SLAAC

SLAAC (Stateless Address Autoconfiguration):

  • No DHCP server required
  • Address = Prefix (from RA) + EUI-64 or random IID
  • Fast, automatic, no state

DHCPv6:

  • Centralized address management
  • Stateful (server tracks leases)
  • Can provide DNS, NTP, other options

ProRT-IP Scanning:

# SLAAC network: Predictable addressing (EUI-64)
# MAC: 00:11:22:33:44:55
# IPv6: 2001:db8::211:22ff:fe33:4455
prtip -sS -p 80,443 2001:db8::211:22ff:fe33:4455

# DHCPv6 network: Query DHCP server for address list
# Use DHCPv6 logs or router NDP cache for targets
prtip -sS -p 80,443 $(cat dhcpv6-leases.txt)

References

RFCs (Relevant to ProRT-IP)

  • RFC 8200: IPv6 Specification
  • RFC 4443: ICMPv6 for IPv6
  • RFC 4861: Neighbor Discovery Protocol
  • RFC 4291: IPv6 Addressing Architecture
  • RFC 5095: Deprecation of Type 0 Routing Headers
  • RFC 6724: Default Address Selection
  • RFC 4941: Privacy Extensions
  • RFC 7217: Stable Privacy Addresses

Related ProRT-IP Documentation

External Resources


Document Version: 1.0 Last Updated: 2025-10-29 Sprint: 5.1 Phase 4.3 Maintainer: ProRT-IP Contributors Status: Production-Ready (100% IPv6 Scanner Coverage)