jumbo6.1 6.72 KB
Newer Older
1 2 3 4 5
.TH JUMBO6 1
.SH NAME
jumbo6 \- A security assessment tool for attack vectors based on IPv6 jumbograms
.SH SYNOPSIS
.B jumbo6
Mati's avatar
Mati committed
6 7 8
.RB [\| \-i
.IR INTERFACE\| ]
[\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-A HOP_LIMIT] [\-H HBH_OPT_HDR_SIZE]  [\-U DST_OPT_U_HDR_SIZE] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-q IPV6_LENGTH] [\-Q JUMBO_LENGTH] [\-P PAYLOAD_SIZE] [\-l] [\-z SECONDS] [\-v] [\-h]
9 10 11 12 13

.SH DESCRIPTION
.B jumbo6
allows the assessment of IPv6 implementations with respect to attack vectors based on IPv6 jumbograms. It is part of the SI6 Networks' IPv6 Toolkit : a security assessment suite for the IPv6 protocols. 

Mati's avatar
Mati committed
14
This tool has only one mode of operation: active mode. In active mode, the tool sends IPv6 jumbograms to the specified target, and informs the user of any received ICMPv6 error messages (typically "ICMPv6 Parameter Problem" error messages).
15 16 17 18 19

.SH OPTIONS
.B jumbo6
takes its parameters as command-line options. Each of the options can be specified with a short name (one character preceded with the hyphen character, as e.g. "\-i") or with a long name (a string preceded with two hyphen characters, as e.g. "\-\-interface").

Mati's avatar
Mati committed
20
jumbo6 supports IPv6 Extension Headers, including the IPv6 Fragmentation Header, which might be of use to circumvent layer\-2 filtering and/or Network Intrusion Detection Systems (NIDS). However, IPv6 extension headers are not employed by default, and must be explicitly enabled with the corresponding options.
21 22

.TP
Mati's avatar
Mati committed
23 24
.BI \-i\  INTERFACE ,\ \-\-interface\  INTERFACE
This option specifies the network interface that the tool will use. If the destination address ("\-d" option) is a link\-local address, the interface must be explicitly specified. The interface may also be specified along with a destination address, with the "\-d" option.
25 26

.TP
Mati's avatar
Mati committed
27
.BI \-S\  SRC_LINK_ADDR ,\ \-\-src\-link\-address\  SRC_LINK_ADDR
28

Mati's avatar
Mati committed
29
This option specifies the link\-layer Source Address of the probe packets. If left unspecified, the link\-layer Source Address of the packets is set to the real link\-layer address of the network interface.
30 31

.TP
Mati's avatar
Mati committed
32
.BI \-D\  DST_LINK_ADDR ,\ \-\-dst\-link\-address\  DST_LINK_ADDR
33

Mati's avatar
Mati committed
34
This option specifies the link\-layer Destination Address of the probe packets (currently, only Ethernet is supported). By default, the link\-layer Destination Address is automatically set to the link\-layer address of the destination host (for on-link destinations) or to the link\-layer address of the first-hop router.
35 36

.TP
Mati's avatar
Mati committed
37
.BI \-s\  SRC_ADDR ,\ \-\-src\-address\  SRC_ADDR
38

Mati's avatar
Mati committed
39
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the Source Address of the outgoing packets. If an IPv6 prefix is specified, the IPv6 Source Address of the outgoing packets will be randomized from that prefix.
40 41

.TP
Mati's avatar
Mati committed
42
.BI \-d\  DST_ADDR ,\ \-\-dst\-address\  DST_ADDR
43

Mati's avatar
Mati committed
44
This option specifies the IPv6 Destination Address of the target node. This option cannot be left unspecified.
45 46 47 48 49 50 51

.TP
\-\-hop\-limit, \-A

This option specifies the Hop Limit to be used for the IPv6 packets. By default, the Hop Limit is randomized.

.TP
Mati's avatar
Mati committed
52
.BI \-y\  SIZE ,\ \-\-frag\-hdr\  SIZE
53 54 55 56

This option specifies that the resulting packet must be fragmented. The fragment size must be specified as an argument to this option.

.TP
Mati's avatar
Mati committed
57
.BI \-u\  HDR_SIZE ,\ \-\-dst\-opt\-hdr\  HDR_SIZE
58 59 60 61

This option specifies that a Destination Options header is to be included in the resulting packet. The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-u" options.

.TP
Mati's avatar
Mati committed
62
.BI \-U\  HDR_SIZE ,\ \-\-dst\-opt\-u\-hdr\  HDR_SIZE
63 64 65 66

This option specifies a Destination Options header to be included in the "unfragmentable part" of the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-U" options. This option is only valid if the "\-y" option is specified (as the concept of "unfragmentable part" only makes sense when fragmentation is employed).

.TP
Mati's avatar
Mati committed
67
.BI \-H\  HDR_SIZE ,\ \-\-hbh\-opt\-hdr\  HDR_SIZE
68

Mati's avatar
Mati committed
69
This option specifies that a Hop-by-Hop Options header is to be included in the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop\-by\-Hop Options headers may be specified by means of multiple "\-H" options.
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

.TP
\-\-ipv6\-length, \-q

This option specifies the value that the "Total Length" field of the IPv6 header should be set to. If this option is left unspecified, the "Total Length" field is set to 0, as required by the IPv6 jumbograms specification.

.TP
\-\-jumbo\-length, \-Q

This option specifies the value to which the "Jumbo Payload Length" field of the Jumbo Payload option should be set. If this option is left unspecified, the "Jumbo Payload Length" field is set according to the real size of the jumbo payload (see the "\-p" option).

.TP
\-\-payload\-size, \-P

This options specifies the size of the jumbo payload.  If left unspecified, the payload size is set to 0.

.TP
\-\-loop, \-l

Mati's avatar
Mati committed
89
This option instructs the jumbo6 tool to send periodic IPv6 jumbograms to the victim node. The amount of time to pause between sending IPv6 jumbograms can be specified by means of the "\-z" option, and defaults to 1 second.
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113

.TP
\-\-sleep, \-z

This option specifies the amount of time to pause between sending IPv6 jumbograms (when the "\-\-loop" option is set). If left unspecified, it defaults to 1 second.

.TP
\-\-verbose, \-v

This option instructs the jumbo6 tool to be verbose.  When the option is set twice, the tool is "very verbose", and the tool also informs which packets have been accepted or discarded as a result of applying the specified filters. 

.TP
\-\-help, \-h

Print help information for the jumbo6 tool. 

.SH EXAMPLES

The following sections illustrate typical use cases of the
.B jumbo6
tool.

\fBExample #1\fR

Mati's avatar
Mati committed
114
# jumbo6 \-s fc00:1::/64 \-d fc00:1::1 \-P 100
115 116 117 118 119 120 121 122 123 124 125 126 127 128

Send an IPv6 jumbogram to the host fc00:1::1. The IPv6 Source Address will be randomly selected from the prefix fc00:1::/64, and a the payload of 100 bytes is included in the packet.

.SH AUTHOR
The
.B jumbo6
tool and the corresponding manual pages were produced by Fernando Gont 
.I <fgont@si6networks.com>
for SI6 Networks 
.IR <http://www.si6networks.com> .

.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.

Mati's avatar
Mati committed
129
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts.  A copy of the license is available at
130
.IR <http://www.gnu.org/licenses/fdl.html> .