In 2011 it was an officially end of IPv4 and beginning of IPv6. Many organization specially ISP have moved their backbone to IPv6. Very slow but gaining control is IPV6 and for that matter security tools have also being developed rrhunter is one of them.
What makes IPv6 special is “Neighbor discovery” as described in RFC4861. When an IPv6-enabled host connects to a network, it waits for a router advertisement packet but it can also generate some solicitation packets to discover more quickly if IPv6 routers are connected on the same wire. Once received, the router will respond and send the required information to the host to configure its IPv6 stack. One of the information is the network prefix (usually a /64) which will be used to generate IPv6 addresses. Such advertisement or solicitation messages are sent to the special address “ff02::1” which represents all the hosts connected on the wire.
So This is where rrhunter helps As a proof of concept, this Perl script will broadcast RS packets and listen to potential router responses. If the router IP address changed or is not the expected one, if will report the problem.
Example of using rrhunter
# ./rrhunter.pl -n fe80::230:48ff:fe27:4e40 -d -i eth1
+++ Debug enabled.
+++ Using interface eth1.
+++ Running with PID 12252.
+++ Expected IPv6 neighbor: fe80::230:48ff:fe27:4e40
+++ Listening on eth1.
+++ Router Solicitation packet sent!
+++ Detected IPv6 neighbor: fe80::230:48ff:fe27:4e40.
As it is written in Perl script we can change it as per our required environment for testing.
Download rrhunter:
rrhunter – rrhunter.pl – https://github.com/xme/rrhunter#readme
{ 0 comments… add one now }