This post details some of the tools used in my recent IPv6 security testing webcast If you have any specific questions, please open a Discussion thread.

A minimal IPv6 toolbox:

The BackTrack Linux distribution includes these tools by default and is a great choice.

On your local Linux distribution, the following tools are useful:

  • ping6
  • tracepath6
  • socat
  • ip6tables
  • tcpdump
  • wireshark

Scanning your local subnet for all IPv6-enabled systems in one shot:

# nmap -6 --script=targets-ipv6-multicast-*

Port scanning the top 10000 ports on these assets:

# nmap -6 --script=targets-ipv6-multicast-* --script-args=newtargets -PS --top-ports=10000

Targeting a link-local address from within Metasploit (assuming the NIC is eth0):

msf exploit > set RHOST fe80::7aac:c2ff:fe3d:e003%eth0

Targeting all IP addresses (IPv4 and IPv6) tied to a hostname via DNS with a Scanner module:

msf scanner> set RHOSTS

If you would like a global IPv6 address, these free services can tunnel over IPv4:

Bringing up a tunnel via Hurricane Electric's TunnelBroker service is simple:


ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::<TunnelBrokerGateway>
ifconfig sit1 up
ifconfig sit1 inet6 add <TunnelBrokerPrefix>::2/64
route -A inet6 add ::/0 dev sit1

Bringing up a tunnel via TunnelBroker on a compromised Windows target:

Windows 2000/XP

ipv6 install
ipv6 rtu ::/0 2/::<TunnelBrokerGateway> pub
ipv6 adu 2/<TunnelBrokerPrefix>::2

Windows Vista/2008/7

netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel <TargetExternalIP> <TunnelBrokerGateway>
netsh interface ipv6 add address IP6Tunnel <TunnelBrokerPrefix>::2
netsh interface ipv6 add route ::/0 IP6Tunnel <TunnelBrokerPrefix>::1

For information on malicious Teredo configuration on Windows, please see this fine article.

Remember to configure a firewall (ip6tables or Windows FW) in either case