ns6.1 9.94 KB
Newer Older
1 2 3 4 5
.TH NS6 1
.SH NAME
ns6 \- A security assessment tool for attack vectors based on ICMPv6 Neighbor Solicitation messages
.SH SYNOPSIS
.B ns6
Mati's avatar
Mati committed
6 7 8
.RB [\| \-i
.IR INTERFACE\| ]
[\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-E LINK_ADDR] [\-e] [\-t TARGET_ADDR[/LEN]] [\-F N_SOURCES] [\-T N_TARGETS] [\-z SECONDS] [\-l] [\-v] [\-h]
9 10 11 12 13 14 15 16 17 18 19 20

.SH DESCRIPTION
.B ns6
allows the assessment of IPv6 implementations with respect to a variety of attacks based on ICMPv6 Neighbor Solicitation messages. This tool is part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for the IPv6 protocols.

.SH OPTIONS
.B ns6
The ns6 tool takes its parameters by means of command-line options. Each of the options can be specified with a short name (one character preceded with the hyphen character, as e.g. "\-i") or with a long name (a string preceded with two hyphen characters, as e.g. "\-\-interface").

Depending on the amount of information (i.e., options) to be conveyed into the Neighbor Solicitations, it may be necessary for the ns6 tool to split that information into more than one Neighbor Solicitation message. Also, when the ns6 tool is instructed to flood the victim with Neighbor Solicitations from different sources ("\-\-flood\-sources" option), multiple packets may need to be sent. ns6 supports IPv6 fragmentation, which may be of use if a large amount of information needs to be conveyed within a single Neighbor Solicitation message. IPv6 fragmentation is not enabled by default, and must be explicitly enabled with the "\-y" option.

.TP
Mati's avatar
Mati committed
21 22
.BI \-i\  INTERFACE ,\ \-\-interface\  INTERFACE
This option specifies the network interface that the tool will use. If the destination address ("\-d" option) is a link-local address, the interface must be explicitly specified. The interface may also be specified along with a destination address, with the "\-d" option.
23 24

.TP
Mati's avatar
Mati committed
25
.BI \-s\  SRC_ADDR ,\ \-\-src\-address\  SRC_ADDR
26 27 28 29

This option is meant to specify the IPv6 Source Address to be used for the Neighbor Solicitation messages. If left unspecified, a randomized link-local (fe80::/64) address is selected.

.TP
Mati's avatar
Mati committed
30
.BI \-d\  DST_ADDR ,\ \-\-dst\-address\  DST_ADDR
31 32 33 34 35 36 37 38 39

This option specifies the IPv6 Destination Address of the Neighbor Solicitation messages. If this option is left unspecified, but the Ethernet Destination Address is specified, the "all-nodes link-local multicast" address (ff02::1) is selected as the IPv6 Destination Address. 

.TP
\-\-hop\-limit, \-A

This option specifies the IPv6 Hop Limit to be used for the Neighbor Solicitation messages. It defaults to 255. Note that IPv6 nodes are required to check that the Hop Limit of incoming Neighbor Solicitation messages is 255. Therefore, this option is only useful to assess whether an IPv6 implementation fails to enforce the aforementioned check.

.TP
Mati's avatar
Mati committed
40
.BI \-y\  SIZE ,\ \-\-frag\-hdr\  SIZE
41 42 43 44

This option specifies that the resulting packet must be fragmented. The fragment size must be specified as an argument to this option.

.TP
Mati's avatar
Mati committed
45
.BI \-u\  HDR_SIZE ,\ \-\-dst\-opt\-hdr\  HDR_SIZE
46 47 48 49

This option specifies that a Destination Options header is to be included in the resulting packet. The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-u" options.

.TP
Mati's avatar
Mati committed
50
.BI \-U\  HDR_SIZE ,\ \-\-dst\-opt\-u\-hdr\  HDR_SIZE
51 52 53 54

This option specifies a Destination Options header to be included in the "unfragmentable part" of the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-U" options. This option is only valid if the "\-y" option is specified (as the concept of "unfragmentable part" only makes sense when fragmentation is employed).

.TP
Mati's avatar
Mati committed
55
.BI \-H\  HDR_SIZE ,\ \-\-hbh\-opt\-hdr\  HDR_SIZE
56

Mati's avatar
Mati committed
57
This option specifies that a Hop-by-Hop Options header is to be included in the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop\-by\-Hop Options headers may be specified by means of multiple "\-H" options.
58 59

.TP
Mati's avatar
Mati committed
60
.BI \-S\  SRC_LINK_ADDR ,\ \-\-src\-link\-address\  SRC_LINK_ADDR
61

Mati's avatar
Mati committed
62
This option specifies the link\-layer Source Address of the Neighbor Solicitation messages (currently, only Ethernet is supported). If left unspecified, the link\-layer Source Address is randomized.
63 64

.TP
Mati's avatar
Mati committed
65
.BI \-D\  DST_LINK_ADDR ,\ \-\-dst\-link\-address\  DST_LINK_ADDR
66

Mati's avatar
Mati committed
67
This option specifies the link\-layer Destination Address of the Neighbor Solicitation messages (currently, only Ethernet is supported). If left unspecified, it is set to the address "33:33:00:00:00:01" (the Ethernet address corresponding to the "all-nodes link-local multicast" IPv6 address (ff02::1).
68 69 70 71 72 73 74 75 76 77 78

.TP
\-\-target, \-t

This option specifies the IPv6 Target Address of the Neighbor Solicitation messages. 

If the "\-T" ("\-\-flood\-targets") option is specified, this option specifies an IPv6 prefix in the form "\-t prefix/prefixlen". See the description of the "\-T" option for further information on how the "\-t" option is processed in that specific case.

.TP
\-\-source\-lla\-opt, \-E

Mati's avatar
Mati committed
79
This option specifies the contents of a source link\-layer address option to be included in the Neighbor Solicitation messages. If more than one source link\-layer address is specified (by means of multiple "\-E" options), and all the resulting options cannot be conveyed into a single Neighbor Solicitation, multiple Neighbor Solicitations will be sent as needed.
80 81 82 83

.TP
\-\-add\-slla\-opt, \-e

Mati's avatar
Mati committed
84
This option instructs the ns6 tool to include a source link\-layer address option in the Neighbor Solicitation messages that it sends. The link\-layer address included in the option is the same as the Ethernet Source Address used for the outgoing Neighbor Solicitation messages.
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125

.TP
\-\-flood\-sources, \-F

This option instructs the ns6 tool to send Neighbor Solicitations from multiple (and random) IPv6 Source Addresses. The number of different sources is specified as "\-F number". The IPv6 Source Address of the packets are randomly selected from the prefix specified by the "\-s" option (which defaults to fe80::/64).

.TP
\-\-flood\-targets, \-T

This option instructs the ns6 tool to send Neighbor Solicitation messages for multiple Target Addresses. The number of different Target Addresses is specified as "\-T number". The Target Address of each packet is randomly selected from the prefix ::/64, unless a different prefix has been specified by means of the "\-t" option. 

.TP
\-\-loop, \-l

This option instructs the ns6 tool to send periodic Neighbor Solicitations to the victim. The amount of time to pause between sending Neighbor Solicitations can be specified by means of the "\-z" option, and defaults to 1 second.

.TP
\-\-sleep, \-z

This option instructs the ns6 tool to the amount of time to pause between sending Neighbor Solicitations. If left unspecified, it defaults to 1 second.

.TP
\-\-verbose, \-v

This option instructs the ns6 tool to be verbose. 

.TP
\-\-help, \-h

Print help information for the ns6 tool. 

.SH EXAMPLES

The following sections illustrate typical use cases of the
.B ns6
tool.

\fBExample #1\fR

# ns6 \-i eth0 \-d fe80::01 \-t 2001:db8::1 \-e

Mati's avatar
Mati committed
126
Use the network interface "eth0" to send a Neighbor Solicitation message using a random link-local unicast IPv6 Source Address and a random Ethernet Source Address, to the IPv6 Destination address fe80::1 and the Ethernet Destination Address 33:33:00:00:00:01 (selected by default). The target of the Neighbor Advertisement is 2001:db8::1. The Neighbor Solicitation also includes a source link\-layer address option, that contains the same Ethernet address as that used for the Ethernet Source Address of the packet. 
127 128 129 130 131

\fBExample #2\fR

# ns6 \-i eth0 \-s 2001:db8::/32 \-t 2001:db8::1 \-F 10 \-l \-z 10 \-e \-v

Mati's avatar
Mati committed
132
Send 10 Neighbor Solicitation messages using random Ethernet Source Addresses and random IPv6 Source Addresses from the prefix 2001:db8::/32, to the Ethernet Destination Address 33:33:00:00:00:01 (default) and the IPv6 Destination Address ff02::1 (default). The IPv6 Target Address of the Neighbor Solicitation is 2001:db8::1, and each message includes a source link\-layer address option that contains the same address as that used for the Ethernet Source Address of the packet. Repeat this operation every ten seconds. Be verbose.
133 134 135 136 137

\fBExample #3\fR

# ns6 \-i eth0 \-s 2001:db8::/32 \-t 2001:db8::1 \-F 10 \-l \-z 10 \-E ff:ff:ff:ff:ff:ff \-v

Mati's avatar
Mati committed
138
Send 10 Neighbor Solicitation messages using random Ethernet Source Addresses and random IPv6 Source Addresses from the prefix fe80::/64 (default, link-local unicast), to the Ethernet Destination Address 33:33:00:00:00:01 (default) and the IPv6 Destination Address ff02:1 (default). The IPv6 Target Address of the Neighbor Solicitation is 2001:db8::1, and each message includes a source link\-layer address option that contains the Ethernet address ff:ff:ff:ff:ff:ff. Repeat this operation every ten seconds. Be verbose.
139 140

.SH SEE ALSO
Mati's avatar
Mati committed
141
"Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations" (available at: <http://www.si6networks.com/tools/ipv6toolkit/si6networks\-ipv6\-nd\-assessment.pdf>) for a discussion of Neighbor Discovery vulnerabilities, and additional examples of how to use the na6 tool to exploit them.
142 143 144 145 146 147 148 149 150 151 152 153

.SH AUTHOR
The
.B ns6
tool and the corresponding manual pages were produced by Fernando Gont 
.I <fgont@si6networks.com>
for SI6 Networks 
.IR <http://www.si6networks.com> .

.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.

Mati's avatar
Mati committed
154
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts.  A copy of the license is available at
155
.IR <http://www.gnu.org/licenses/fdl.html> .