By default, modern operating systems usually enable IPv6 with automatically configured addresses. In contrast to IPv4, IPv6 actually operates IP at layer 2 in the OSI model instead of using a separate protocol like ARP in the case of IPv4. Therefore when an IPv6-enabled system is connected to a network, it will configure itself with a layer 2 address in the fe80::10 address range based on its MAC address and will listen to the default IPv6 multicast addresses (ff02::/10) for routers that advertise their presence.
When either IPv6 or IPv4 are set up for auto configuration, but no configuration servers are present on the network, other attacks are possible by introducing rogue servers to answer these configuration requests. Modern operating systems prefer IPv6 over legacy IPv4 and will use a rogue IPv6 connection by default if one is available. This allows an attacker to hijack traffic such as DNS lookups. Tools and write ups to exploit this configuration attack are already available, for instance https://github.com/fox-it/mitm6 and thus aren’t covered in greater detail in this post.
Click here for the source and the full article.