1. 7
  1.  

  2. 3

    This is really cool, I had to run brew install netcat6 and then use nc6 on a mac to get it working. Normal nc doesn’t support a -6 flag it seems.

    I might have also broken it sorry. Typed support then ^D, then hit enter a couple of times, then ^C to break out of it. I can ping your host now, but not reconnect with nc. 😰😬

    1. 2

      You did, thanks! That’s exactly what I was hoping for as I was building it. I’m using the same tech stack to build another service and wondered if I really understand how it works and turned out I didn’t! I tried to build some mitigations for misbehaving or even malicious clients and still ended up vulnerable to DoS by accident 😎.

      The problem was with reading from a socket where the incoming stream is closed. I expected the read to return an error when trying to read from a closed stream, but that wasn’t obviously the case.

      Fixed it in this commit https://github.com/vvilhonen/ipv6shell/commit/417517e54d211fcf320966d3ccfbc163ffddae64

      Thanks again!

    2. 1

      Is this actually an issue people come across? All the home routers I’ve come across so far had firewalls blocking incoming connections (for both IPv4 and v6). Most of them (especially the ISP-issued ones) don’t even allow configuring that firewall. Company and University networks will always have a firewall as well. On University networks, there’s a high chance of getting a public IPv4 address anyways.

      And a comment regarding the (pretty neat) tool itself: with IPv6, you’ll probably use different addresses for incoming and outgoing connections. For firewall configuration, you usually need a static address (e.g., EUI-64) , but for privacy reasons, the preferred address for outgoing connections should be randomly generated. As your tool (as far as I can see) only can check the address the user connects from, it would miss the address services would usually listen on.