Description
Describe the bug
There is no IPv6 support in multiple areas:
- the server only listens on legacy sockets by default and cannot be reached via IPv6
- the agents will not connect via IPv6
- IPv6 addresses of agents are not shown in the web ui and seem to be completely ignored
To Reproduce
Steps to reproduce the behavior:
- Run Caldera on an IPv6 capable host
- Try to access the web interface via the IPv6 address
- Try to deploy an agent connecting back via IPv6
- On an existing agent, IPv6 addresses of the agent are not shown
Expected behavior
The server should listen to the IPv6 any address (::) by default, or allow specifying IPv6 addresses to bind to.
The agent should be able to connect to the server using IPv6, either by specifying an IP or by specifying a DNS name which resolves to an IPv6 address.
Both GUA and link-local addresses should work.
Once an agent it connected its IPv6 addresses should be shown in the web ui alongside any legacy addresses
Screenshots
Desktop (please complete the following information):
- OS: macOS 15.3.2
- Browser: Safari
- Version [e.g. 2.8.0]
Additional context
Even on legacy networks the link-local addresses are reachable by default in the same VLAN, this is a valid and highly useful covert channel between hosts in the same VLAN that is often not monitored.
When users work from home they are likely to have fully working IPv6 connectivity, which again can provide a covert channel if the blue team focuses only on legacy ip and ignores v6.
On a dual stack network the vast majority of legitimate traffic will occur over v6, any legacy traffic sticks out immediately as an anomaly.
On an IPv6-only network, caldera simply does not work at all.