Commit 5b056f30 authored by Mati's avatar Mati

Imported Upstream version 1.5.3

parent 1ac06c62
SI6 Networks IPv6 Toolkit v1.5.3
* All: Fix packet size issues
Many tools were using a (sometimes non-initialized) max_packet_size
variable, instead of the corresponding member of the idata structure.
* All: Add support for some Mac OS version
The toolkit would not compile on Lion (10.7.5) or Snow Leopard (10.6.8),
as a result of inconsistencies of how BYTE_ORDER-related constants were
(not) set in those versions of Mac OS.
SI6 Networks IPv6 Toolkit v1.5.2
* All: Add support for GNU Debian/kfreebsd
The toolkit would not build on GNU Debian/kfreebsd before this release.
* tcp6: Add support for TCP/IPv6 probes
tcp6 can now send TCP/IPv6 packets ("--probe-mode" option), and read the
TCP response packets, if any. This can be leveraged for port scans, and
miscellaneous measurements.
SI6 Networks IPv6 Toolkit v1.5.1
* Fix Mac OS breakage
libipv6.h had incorrect definitions for "struct tcp_hdr".
SI6 Networks IPv6 Toolkit v1.5
* All: Improved the next-hop determination
Since the toolkit employs libpcap (as there is no portable way to forge
IPv6 addresses and do other tricks), it was relying on the user specifying
a network interface ("-i" was mandatory for all tools) and that routers
would send Router Advertisements on the local links. This not only was
rather inconvenient for users (specifying a network interface was not
warranted), but also meant that in setups where RAs where not available
(e.g., manual configuration), the tools would fail. The toolkit now
employs routing sockets (in BSDs) or Netlink (in Linux), and only uses
"sending RAs" as a fall-back in case of failure (IPv6 not configured on
the local host).
* All: Improved source address selection
This is closely related to the previous bullet.
* All: More code moved to libipv6
More and more code was moved to libipv6 and removed to the individual tool
source files. As with some of the above, this was painful and
time-consuming, but was necessary -- and in the long run it will make
code maintenance easier.
* All: libipv6 used throughout all tools
This was rather painful and non-exciting, but necessary.
SI6 Networks' IPv6 Toolkit v1.4.1
* frag6: Fixed bug that prevented Ethernet header from being filled
A bug in the code caused Ethernet frames to go on te wire without any of
A bug in the code caused Ethernet frames to go on the wire without any of
their header fields completed.
* All: Use of library to avoid code replication
......@@ -14,7 +66,7 @@ SI6 Networks' IPv6 Toolkit v1.4 release
* frag6: Fixed the flooding option
Fixed the fragment size used when employing the flooding option. It was
prevously sending fragment sizes that where not a multiple of eight, and
previously sending fragment sizes that where not a multiple of eight, and
hence these fragments were dropped.
* scan6: Added support for 64-bit encoding of IPv4 addresses
......@@ -22,7 +74,7 @@ SI6 Networks' IPv6 Toolkit v1.4 release
and 64 bit) of embedded IPv4 addresses.
* tcp6: Fixed response to Neighbor Solicitations
tcp6 was not responding to incomming Neighbor Solicitations. Hence, when
tcp6 was not responding to incoming Neighbor Solicitations. Hence, when
packets were sent from spoofed addresses, tcp6 would never receive the
response packets, because the NSs sent by the local router or target node
would never be responded.
......
......@@ -7,7 +7,9 @@ The following people sent patches that were incorporated into this release
of the toolkit:
Octavio Alvarez <alvarezp@alvarezp.com>
Alexander Bluhm <bluhm@openbsd.org>
Alistair Crooks <agc@pkgsrc.org>
Declan A Rieb <darieb@sandia.gov>
** Package maintainers **
......@@ -31,6 +33,11 @@ These are the maintainers for each of the different packages:
Robin H. Johnson <robbat2@gentoo.org>
+ Mac OS
Declan A Rieb <darieb@sandia.gov> tests the toolkit on multiple Mac OS
versions, to ensure clean compiles on such platforms.
+ NetBSD (pkgsrc framework)
Alistair Crooks <agc@pkgsrc.org>
......@@ -39,3 +46,18 @@ These are the maintainers for each of the different packages:
Alexander Bluhm <bluhm@openbsd.org>
** Troubleshooting/Debugging **
Spotting bugs in networking tool can be tricky, since at times they only show
up in specific network scenarios.
The following indviduals provided great help in identifying bugs in the the
toolkit (thus leading to fixes and improvements):
Stephane Bortzmeyer <stephane@bortzmeyer.org>
Marc Heuse <mh@mh-sec.de>
Erik Muller <erikm@buh.org>
Declan A Rieb <darieb@sandia.gov>
Tim <tim-security@sentinelchicken.org>
......@@ -51,20 +51,20 @@ all: $(TOOLS) $(LIBS) ipv6toolkit.conf
addr6: $(SRCPATH)/addr6.c $(SRCPATH)/addr6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o addr6 $(SRCPATH)/addr6.c $(LDFLAGS)
flow6: $(SRCPATH)/flow6.c $(SRCPATH)/flow6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o flow6 $(SRCPATH)/flow6.c $(LDFLAGS)
flow6: $(SRCPATH)/flow6.c $(SRCPATH)/flow6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o flow6 $(SRCPATH)/flow6.c $(LIBS) $(LDFLAGS)
frag6: $(SRCPATH)/frag6.c $(SRCPATH)/frag6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o frag6 $(SRCPATH)/frag6.c $(LDFLAGS)
frag6: $(SRCPATH)/frag6.c $(SRCPATH)/frag6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o frag6 $(SRCPATH)/frag6.c $(LIBS) $(LDFLAGS)
icmp6: $(SRCPATH)/icmp6.c $(SRCPATH)/icmp6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o icmp6 $(SRCPATH)/icmp6.c $(LDFLAGS)
icmp6: $(SRCPATH)/icmp6.c $(SRCPATH)/icmp6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o icmp6 $(SRCPATH)/icmp6.c $(LIBS) $(LDFLAGS)
jumbo6: $(SRCPATH)/jumbo6.c $(SRCPATH)/jumbo6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o jumbo6 $(SRCPATH)/jumbo6.c $(LDFLAGS)
jumbo6: $(SRCPATH)/jumbo6.c $(SRCPATH)/jumbo6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o jumbo6 $(SRCPATH)/jumbo6.c $(LIBS) $(LDFLAGS)
na6: $(SRCPATH)/na6.c $(SRCPATH)/na6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o na6 $(SRCPATH)/na6.c $(LDFLAGS)
na6: $(SRCPATH)/na6.c $(SRCPATH)/na6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o na6 $(SRCPATH)/na6.c $(LIBS) $(LDFLAGS)
ni6: $(SRCPATH)/ni6.c $(SRCPATH)/ni6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ni6 $(SRCPATH)/ni6.c $(LIBS) $(LDFLAGS)
......@@ -72,17 +72,17 @@ ni6: $(SRCPATH)/ni6.c $(SRCPATH)/ni6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPAT
ns6: $(SRCPATH)/ns6.c $(SRCPATH)/ns6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ns6 $(SRCPATH)/ns6.c $(LIBS) $(LDFLAGS)
ra6: $(SRCPATH)/ra6.c $(SRCPATH)/ra6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ra6 $(SRCPATH)/ra6.c $(LDFLAGS)
ra6: $(SRCPATH)/ra6.c $(SRCPATH)/ra6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ra6 $(SRCPATH)/ra6.c $(LIBS) $(LDFLAGS)
rd6: $(SRCPATH)/rd6.c $(SRCPATH)/rd6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rd6 $(SRCPATH)/rd6.c $(LDFLAGS)
rd6: $(SRCPATH)/rd6.c $(SRCPATH)/rd6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rd6 $(SRCPATH)/rd6.c $(LIBS) $(LDFLAGS)
rs6: $(SRCPATH)/rs6.c $(SRCPATH)/rs6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rs6 $(SRCPATH)/rs6.c $(LIBS) $(LDFLAGS)
scan6: $(SRCPATH)/scan6.c $(SRCPATH)/scan6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o scan6 $(SRCPATH)/scan6.c $(LDFLAGS)
scan6: $(SRCPATH)/scan6.c $(SRCPATH)/scan6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o scan6 $(SRCPATH)/scan6.c $(LIBS) $(LDFLAGS)
tcp6: $(SRCPATH)/tcp6.c $(SRCPATH)/tcp6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o tcp6 $(SRCPATH)/tcp6.c $(LIBS) $(LDFLAGS)
......
......@@ -11,8 +11,8 @@
# variable accordingly. The path of the manual pages can be overriden by setting
# the MANPREFIX variable. Typically, packages will set these variables as follows:
#
# PREFIX=usr/
# MANPREFIX=usr/share
# PREFIX=/usr
# MANPREFIX=/usr/share
#
# Finally, please note that this makefile supports the DESTDIR variable, as
# typically employed by package developers.
......@@ -51,20 +51,20 @@ all: $(TOOLS) ipv6toolkit.conf
addr6: $(SRCPATH)/addr6.c $(SRCPATH)/addr6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o addr6 $(SRCPATH)/addr6.c $(LDFLAGS)
flow6: $(SRCPATH)/flow6.c $(SRCPATH)/flow6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o flow6 $(SRCPATH)/flow6.c $(LDFLAGS)
flow6: $(SRCPATH)/flow6.c $(SRCPATH)/flow6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o flow6 $(SRCPATH)/flow6.c $(LIBS) $(LDFLAGS)
frag6: $(SRCPATH)/frag6.c $(SRCPATH)/frag6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o frag6 $(SRCPATH)/frag6.c $(LDFLAGS)
frag6: $(SRCPATH)/frag6.c $(SRCPATH)/frag6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o frag6 $(SRCPATH)/frag6.c $(LIBS) $(LDFLAGS)
icmp6: $(SRCPATH)/icmp6.c $(SRCPATH)/icmp6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o icmp6 $(SRCPATH)/icmp6.c $(LDFLAGS)
icmp6: $(SRCPATH)/icmp6.c $(SRCPATH)/icmp6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o icmp6 $(SRCPATH)/icmp6.c $(LIBS) $(LDFLAGS)
jumbo6: $(SRCPATH)/jumbo6.c $(SRCPATH)/jumbo6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o jumbo6 $(SRCPATH)/jumbo6.c $(LDFLAGS)
jumbo6: $(SRCPATH)/jumbo6.c $(SRCPATH)/jumbo6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o jumbo6 $(SRCPATH)/jumbo6.c $(LIBS) $(LDFLAGS)
na6: $(SRCPATH)/na6.c $(SRCPATH)/na6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o na6 $(SRCPATH)/na6.c $(LDFLAGS)
na6: $(SRCPATH)/na6.c $(SRCPATH)/na6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o na6 $(SRCPATH)/na6.c $(LIBS) $(LDFLAGS)
ni6: $(SRCPATH)/ni6.c $(SRCPATH)/ni6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ni6 $(SRCPATH)/ni6.c $(LIBS) $(LDFLAGS)
......@@ -72,20 +72,20 @@ ni6: $(SRCPATH)/ni6.c $(SRCPATH)/ni6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPAT
ns6: $(SRCPATH)/ns6.c $(SRCPATH)/ns6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ns6 $(SRCPATH)/ns6.c $(LIBS) $(LDFLAGS)
ra6: $(SRCPATH)/ra6.c $(SRCPATH)/ra6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ra6 $(SRCPATH)/ra6.c $(LDFLAGS)
ra6: $(SRCPATH)/ra6.c $(SRCPATH)/ra6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o ra6 $(SRCPATH)/ra6.c $(LIBS) $(LDFLAGS)
rd6: $(SRCPATH)/rd6.c $(SRCPATH)/rd6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rd6 $(SRCPATH)/rd6.c $(LDFLAGS)
rd6: $(SRCPATH)/rd6.c $(SRCPATH)/rd6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rd6 $(SRCPATH)/rd6.c $(LIBS) $(LDFLAGS)
rs6: $(SRCPATH)/rs6.c $(SRCPATH)/rs6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rs6 $(SRCPATH)/rs6.c $(LDFLAGS)
rs6: $(SRCPATH)/rs6.c $(SRCPATH)/rs6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o rs6 $(SRCPATH)/rs6.c $(LIBS) $(LDFLAGS)
scan6: $(SRCPATH)/scan6.c $(SRCPATH)/scan6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o scan6 $(SRCPATH)/scan6.c $(LDFLAGS)
scan6: $(SRCPATH)/scan6.c $(SRCPATH)/scan6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o scan6 $(SRCPATH)/scan6.c $(LIBS) $(LDFLAGS)
tcp6: $(SRCPATH)/tcp6.c $(SRCPATH)/tcp6.h $(SRCPATH)/ipv6toolkit.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o tcp6 $(SRCPATH)/tcp6.c $(LDFLAGS)
tcp6: $(SRCPATH)/tcp6.c $(SRCPATH)/tcp6.h $(SRCPATH)/ipv6toolkit.h $(LIBS) $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -o tcp6 $(SRCPATH)/tcp6.c $(LIBS) $(LDFLAGS)
libipv6.o: $(SRCPATH)/libipv6.c $(SRCPATH)/libipv6.h
$(CC) $(CPPFLAGS) $(CFLAGS) -c -o libipv6.o $(SRCPATH)/libipv6.c
......
*******************************************************************************
* SI6 Networks IPv6 Toolkit v1.4.1 *
* SI6 Networks IPv6 Toolkit v1.5.3 *
*******************************************************************************
Description of each of the files and directories:
......@@ -28,8 +28,9 @@ pages by running the following command:
Note: The libpcap library must be previously installed on the system.
All the tools have been tested to compile and run on Debian GNU/Linux 6.0,
FreeBSD 9.0, NetBSD 5.1, OpenBSD 5.0, Ubuntu 11.10, and Mac 0S 10.8.0.
All the tools have been tested to build (both with gcc and clang) and run on
Debian GNU/Linux 7.0, Debian GNU/kfreebsd 7.0, FreeBSD 9.0, NetBSD 6.1.1,
OpenBSD 5.3, Ubuntu 11.10, and Mac 0S 10.8.0.
Bug reports
......
......@@ -326,5 +326,5 @@ for SI6 Networks
.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
......@@ -3,7 +3,8 @@
flow6 \- A security assessment tool for the IPv6 Flow Label field
.SH SYNOPSIS
.B flow6
.BI \-i \|\ INTERFACE
.RB [\| \-i
.IR INTERFACE\| ]
.BI \-d \|\ DST_ADDR
.RB [\| \-S
.IR LINK_SRC_ADDR\| ]
......@@ -30,9 +31,9 @@ sends a number of probe packets to the target node, and samples the Flow Label v
.PP
The tool will first send a number of probe packets from single IPv6 address, such that the per-destination policy is determined. The tool will then send probe packets from random IPv6 addresses (from the same prefix as the first probes) such that the "global" Flow Label generation policy can be determined.
.PP
The tool computes the expected value and the standard deviation of the difference between consecutive-sampled Flow Label values (Labeln – Labeln-1) with the intent of inferring the Flow Label generation algorithm of the target node.
The tool computes the expected value and the standard deviation of the difference between consecutive-sampled Flow Label values (Labeln \- Labeln\-1) with the intent of inferring the Flow Label generation algorithm of the target node.
.PP
If the standard deviation of [Labeln – Labeln-1] is 0, the Flow Label is assumed to be set to a constant value, and the corresponding value is informed to the user. For small values of the standard deviation, the Flow Label is assumed to be a monotonically-increasing function with increments of the "expected value", and such "expected value" together with the standard deviation, are informed to the user. For large values of the standard deviation, the Flow Label is assumed to be randomized, and the expected value and standard deviation are informed to the user, as indicators of the "quality" of the Flow Label generation algorithm.
If the standard deviation of [Labeln \- Labeln\-1] is 0, the Flow Label is assumed to be set to a constant value, and the corresponding value is informed to the user. For small values of the standard deviation, the Flow Label is assumed to be a monotonically\-increasing function with increments of the "expected value", and such "expected value" together with the standard deviation, are informed to the user. For large values of the standard deviation, the Flow Label is assumed to be randomized, and the expected value and standard deviation are informed to the user, as indicators of the "quality" of the Flow Label generation algorithm.
.SH OPTIONS
.B flow6
......@@ -40,7 +41,7 @@ takes it parameters as command-line options. Each of the options can be specifie
.TP
.BI \-i\ INTERFACE ,\ \-\-interface\ INTERFACE
This option specifies the network interface that the tool will use. The network interface must be specified (i.e., the tool does not select any network interface "by default").
This option specifies the network interface that the tool will use. If the destination address ("\-d" option) is a link-local address, the interface must be explicitly specified. The interface may also be specified alon with a destination address, with the "\-d" option.
.TP
.BI \-s\ SRC_ADDR ,\ \-\-src\-address\ SRC_ADDR
......@@ -60,12 +61,12 @@ This option specifies the Hop Limit to be used for the IPv6 packets. By default,
.TP
.BI \-S\ SRC_LINK_ADDR ,\ \-\-src\-link\-address\ SRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets (currently, only Ethernet is supported). If left unspecified, the link-layer Source Address of the packets is set to the real link-layer address of the network interface.
This option specifies the link\-layer Source Address of the probe packets (currently, only Ethernet is supported). If left unspecified, the link\-layer Source Address of the packets is set to the real link\-layer address of the network interface.
.TP
.BI \-D\ DST_LINK_ADDR ,\ \-\-dst\-link\-address\ DST_LINK_ADDR
This option specifies the link-layer Destination Address of the probe packets (currently, only Ethernet is supported). By default, the link-layer Destination Address is automatically set to the link-layer address of the destination host (for on-link destinations) or to the link-layer address of the first-hop router.
This option specifies the link\-layer Destination Address of the probe packets (currently, only Ethernet is supported). By default, the link\-layer Destination Address is automatically set to the link\-layer address of the destination host (for on-link destinations) or to the link\-layer address of the first\-hop router.
.TP
.BI \-P\ PROTOCOL ,\ \-\-protocol\ PROTOCOL
......@@ -104,13 +105,13 @@ tool.
# flow6 \-i eth0 \-\-flow-label-policy \-d fe80::1 \-v
Assess the Flow Label generation policy of the host "fe80::1", using the network interface "eth0". Probe packets are TCP segments directed to port 80 (default). Be verbose.
Assess the Flow Label generation policy of the host "fe80::1", using the network interface "eth0". Probe packets are TCP segments directed to port 80 (default). Be verbose. In this example, since the IPv6 destination address is a link-local address, the network interface ccard must be explicitly specified.
\fBExample #2\fR
# flow6 \-i eth0 \-d fe80::1 \-\-flow\-label\-policy \-P TCP \-p 22 \-vv
# flow6 \-d 2001:db8::1 \-\-flow\-label\-policy \-P TCP \-p 22 \-vv
Assess the Flow Label generation policy of the host "fe80::1", using the network interface "eth0". Probe packets are TCP segments directed to port 22. Be very verbose (i.e., list the sampled Flow Label values).
Assess the Flow Label generation policy of the host "2001:db8::1". Probe packets are TCP segments directed to port 22. Be very verbose (i.e., list the sampled Flow Label values).
.SH AUTHOR
The
......@@ -120,5 +121,5 @@ tool and the corresponding manual pages were produced by Fernando Gont <fgont@si
.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
......@@ -3,7 +3,9 @@
frag6 \- A security assessment tool for IPv6 fragmentation
.SH SYNOPSIS
.B frag6
\-i INTERFACE \-d DST_ADDR [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-s SRC_ADDR[/LEN]] [\-A HOP_LIMIT] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-P FRAG_SIZE] [\-O FRAG_TYPE] [\-o FRAG_OFFSET] [\-I FRAG_ID] [\-T] [\-n] [\-p | \-W | \-X | \-F N_FRAGS] [\-l] [\-z SECONDS] [\-v] [\-h]
.RB [\| \-i
.IR INTERFACE\| ]
\-d DST_ADDR [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-s SRC_ADDR[/LEN]] [\-A HOP_LIMIT] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-P FRAG_SIZE] [\-O FRAG_TYPE] [\-o FRAG_OFFSET] [\-I FRAG_ID] [\-T] [\-n] [\-p | \-W | \-X | \-F N_FRAGS] [\-l] [\-z SECONDS] [\-v] [\-h]
.SH DESCRIPTION
.B frag6
......@@ -15,17 +17,17 @@ takes it parameters as command-line options. Each of the options can be specifie
.TP
.BI \-i\ INTERFACE ,\ \-\-interface\ INTERFACE
This option specifies the network interface that the tool will use. The network interface must be specified (i.e., the tool does not select any network interface "by default").
This option specifies the network interface that the tool will use. If the destination address ("\-d" option) is a link-local address, the interface must be explicitly specified. The interface may also be specified along with a destination address, with the "\-d" option.
.TP
.BI \-S\ SRC_LINK_ADDR ,\ \-\-src\-link\-address\ SRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets (currently, only Ethernet is supported). If left unspecified, the link-layer Source Address of the packets is set to the real link-layer address of the network interface.
This option specifies the link\-layer Source Address of the probe packets. If left unspecified, the link\-layer Source Address of the packets is set to the real link\-layer address of the network interface.
.TP
.BI \-D\ DST_LINK_ADDR ,\ \-\-dst\-link\-address\ DST_LINK_ADDR
This option specifies the link-layer Destination Address of the probe packets (currently, only Ethernet is supported). By default, the link-layer Destination Address is automatically set to the link-layer address of the destination host (for on-link destinations) or to the link-layer address of the first-hop router.
This option specifies the link\-layer Destination Address of the probe packets. By default, the link\-layer Destination Address is automatically set to the link\-layer address of the destination host (for on-link destinations) or to the link\-layer address of the first-hop router.
.TP
.BI \-s\ SRC_ADDR ,\ \-\-src\-address\ SRC_ADDR
......@@ -201,25 +203,25 @@ tool.
\fBExample #1\fR
# frag6 \-i eth0 \-\-frag\-id\-policy \-d fc00:1::1 \-v
# frag6 \-\-frag\-id\-policy \-d fc00:1::1 \-v
Assess the fragment Identification generation policy of the host "fc00:1::1", using the network interface "eth0". Be verbose.
Assess the fragment Identification generation policy of the host "fc00:1::1". Be verbose.
\fBExample #2\fR
# frag6 \-i eth0 \-\-frag\-reass\-policy \-d fc00:1::1 \-v
# frag6 \-\-frag\-reass\-policy \-d fc00:1::1 \-v
Assess the fragment reassembly policy of the host "fc00:1::1", using the network interface "eth0". Be verbose.
Assess the fragment reassembly policy of the host "fc00:1::1". Be verbose.
\fBExample #3\fR
# frag6 \-i eth0 –frag-type atomic \-d fc00:1::1 \-v
# frag6 \-\-frag\-type atomic \-d fc00:1::1 \-v
Send an IPv6 atomic fragment to the host "fc00:1::1", using the network interface "eth0". Be verbose.
Send an IPv6 atomic fragment to the host "fc00:1::1". Be verbose.
\fBExample #4\fR
# frag6 \-i eth0 \-s ::/0 \-\-flood\-frags 100 \-l \-z 5 \-d fc00:1::1 \-v
# frag6 \-s ::/0 \-\-flood\-frags 100 \-l \-z 5 \-d fc00:1::1 \-v
Send 100 fragments (every 5 seconds) to the host fc00:1::1, using a forged IPv6 Source Address from the prefix ::/0. The aforementioned fragments should have an offset of 0, and the M bit set (i.e., be first-fragments). Be verbose.
......@@ -231,5 +233,5 @@ tool and the corresponding manual pages were produced by Fernando Gont <fgont@si
.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
This diff is collapsed.
.TH IPV6TOOLKIT 7
.SH NAME
ipv6toolkit \- An IPv6 security assessment and trouble-shooting toolkit
ipv6toolkit \- An IPv6 security assessment and trouble\-shooting toolkit
.SH DESCRIPTION
The SI6 Networks' IPv6 Toolkit is a security assessment and trouble-shooting toolkit for IPv6 networks and implementations. It provides a number of tools to send abitrary IPv6 packets, perform IPv6 address-scans, analyze IPv6 addresses, etc.
The SI6 Networks' IPv6 Toolkit is a security assessment and trouble\-shooting toolkit for IPv6 networks and implementations. It provides a number of tools to send abitrary IPv6 packets, perform IPv6 address\-scans, analyze IPv6 addresses, etc.
The current version of the toolkit includes the following tools:
......@@ -26,13 +26,13 @@ is an IPv6 address analysis and manipulation tool. Given a list of IPv6 addresse
.B addr6
can produce statistics on such addresses, including address scopes, types, and type of IPv6 interface identifier.
.B addr6
can also analyze a single address, producing script-friendly output, such that its analysis can be leveraged by other tools or scripts.
can also analyze a single address, producing script\-friendly output, such that its analysis can be leveraged by other tools or scripts.
.B flow6
allows the security assessment of the IPv6 Flow Label. Essentially, it can be leveraged to assess the Flow Label generation policy of a terget implementation.
.B frag6
is a security assessment tool for the IPv6 fragmentation mechanism. It allows the exploitation of fragmentation-based attacks, and can also be employed to assess the Fragment Identification generation policy, assess support for IPv6 atomic fragments, etc.
is a security assessment tool for the IPv6 fragmentation mechanism. It allows the exploitation of fragmentation\-based attacks, and can also be employed to assess the Fragment Identification generation policy, assess support for IPv6 atomic fragments, etc.
.B icmp6
is a security assessment tool for the ICMPv6 protocol. It can easily produce arbitrary ICMPv6 error messages, and includes the capability to generate such messages in response to received traffic.
......@@ -64,7 +64,7 @@ is a security assessment tool for attack vectors based on Router Solicitation me
is a full-fledged IPv6 address scanning tool, which can leverage specific IPv6 address patterns to greatly reduce the search space for "alive" nodes.
.B tcp6
is a security assessment tool for attack vectors based on TCP/IPv6 packets. It can be easily employed to launch classic TCP-based attacks such as SYN-floods, but can also be employed to launch other more complex attacks such as TCO connection floods, etc.
is a security assessment tool for attack vectors based on TCP/IPv6 packets. It can be easily employed to launch classic TCP\-based attacks such as SYN-floods, but can also be employed to launch other more complex attacks such as TCP connection floods, etc.
.SH SEE ALSO
......@@ -90,7 +90,7 @@ for SI6 Networks
.IR <http://www.si6networks.com> .
.SH COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
......@@ -48,7 +48,7 @@ The
and the corresponding manual pages were produced by Fernando Gont <fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.
.SH COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -3,7 +3,9 @@
rs6 \- A security assessment tool for attack vectors based on ICMPv6 Router Solicitation messages
.SH SYNOPSIS
.B rs6
\-i INTERFACE [\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-E LINK_ADDR] [\-e] [\-F N_SOURCES] [\-z SECONDS] [\-l] [\-v] [\-h]
.RB [\| \-i
.IR INTERFACE\| ]
[\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-E LINK_ADDR] [\-e] [\-F N_SOURCES] [\-z SECONDS] [\-l] [\-v] [\-h]
.SH DESCRIPTION
.B rs6
......@@ -16,17 +18,16 @@ takes its parameters as command-line options. Each of the options can be specifi
Depending on the amount of information (i.e., options and option data) to be conveyed into the Router Solicitations, it may be necessary for rs6 to split that information into more than one Router Solicitation. Also, when the rs6 tool is instructed to flood the victim with Router Solicitations from different sources ("\-\-flood\-sources" option), multiple packets may need to be generated. rs6 supports IPv6 fragmentation, which may be of use if a large amount of information needs to be conveyed within a single Router Solicitation message. IPv6 fragmentation is not enabled by default, and must be explicitly enabled with the "\-y" option.
.TP
\-\-interface, \-i
This option specifies the network interface that the rs6 tool will use. The network interface must be specified (i.e., the tool does not select any network interface "by default").
.BI \-i\ INTERFACE ,\ \-\-interface\ INTERFACE
This option specifies the network interface that the tool will use. If the destination address ("\-d" option) is a link-local address, the interface must be explicitly specified. The interface may also be specified along with a destination address, with the "\-d" option.
.TP
\-\-src\-address, \-s
.BI \-s\ SRC_ADDR ,\ \-\-src\-address\ SRC_ADDR
This option is meant to specify the IPv6 Source Address (or IPv6 prefix) to be used for the Router Solicitation messages. If left unspecified, a randomized link-local unicast (fe80::/64) address is selected.
.TP
\-\-dst\-address, \-d
.BI \-d\ DST_ADDR ,\ \-\-dst\-address\ DST_ADDR
This option specifies the IPv6 Destination Address of the Router Solicitation messages. If left unspecified, but the Ethernet Destination Address is specified, the "all-routers link-local multicast" address (ff02::2) is selected as the IPv6 Destination Address.
......@@ -36,32 +37,32 @@ This option specifies the IPv6 Destination Address of the Router Solicitation me
This option specifies the IPv6 Hop Limit to be used for the Router Solicitation messages. It defaults to 255. Note that IPv6 nodes are required to check that the Hop Limit of incoming Router Solicitation messages is 255. Therefore, this option is only useful to assess whether an IPv6 implementation fails to enforce the aforementioned check.
.TP
\-\-frag\-hdr, \-y
.BI \-y\ SIZE ,\ \-\-frag\-hdr\ SIZE
This option specifies that the resulting packet must be fragmented. The fragment size must be specified as an argument to this option.
.TP
\-\-dst\-opt\-hdr, \-u
.BI \-u\ HDR_SIZE ,\ \-\-dst\-opt\-hdr\ HDR_SIZE
This option specifies that a Destination Options header is to be included in the resulting packet. The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-u" options.
.TP
\-\-dst\-opt\-u\-hdr, \-U
.BI \-U\ HDR_SIZE ,\ \-\-dst\-opt\-u\-hdr\ HDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-U" options. This option is only valid if the "\-y" option is specified (as the concept of "unfragmentable part" only makes sense when fragmentation is employed).
.TP
\-\-hbh\-opt\-hdr, \-H
.BI \-H\ HDR_SIZE ,\ \-\-hbh\-opt\-hdr\ HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop-by-Hop Options headers may be specified by means of multiple "\-H" options.
This option specifies that a Hop-by-Hop Options header is to be included in the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop\-by\-Hop Options headers may be specified by means of multiple "\-H" options.
.TP
\-\-src\-link\-address, \-S
.BI \-S\ SRC_LINK_ADDR ,\ \-\-src\-link\-address\ SRC_LINK_ADDR
This option specifies the link-layer Source Address of the Router Solicitation messages (currently, only Ethernet is supported). If left unspecified, the link-layer Source Address is randomized.
.TP
\-\-link\-dst\-address, \-D
.BI \-D\ DST_LINK_ADDR ,\ \-\-dst\-link\-address\ DST_LINK_ADDR
This option specifies the link-layer Destination Address of the Router Solicitation messages (currently, only Ethernet is supported). If left unspecified, the link-layer Destination Address is set to "33:33:00:00:00:02" (the Ethernet address that corresponds to the "all-routers link-local multicast" address).
......@@ -78,7 +79,7 @@ This option instructs the rs6 tool to include a source link-layer address option
.TP
\-\-flood\-sources, \-F
This option instructs the rs6 tool to send Neighbor Solicitations from multiple (and random) IPv6 Source Addresses. The number of different sources is specified as "\-F number". The IPv6 Source Address of each Router Solicitation is a randomized from the IPv6 prefix specified with the "\-s" option, and defaults to a random link-local unicast address (fe80::/64).
This option instructs the rs6 tool to send Router Solicitations from multiple (and random) IPv6 Source Addresses. The number of different sources is specified as "\-F number". The IPv6 Source Address of each Router Solicitation is a randomized from the IPv6 prefix specified with the "\-s" option, and defaults to a random link-local unicast address (fe80::/64).
.TP
\-\-loop, \-l
......@@ -88,7 +89,7 @@ This option instructs the rs6 tool to send periodic Router Solicitations to the
.TP
\-\-sleep, \-z
This option instructs the rs6 tool to the amount of time to pause between sending Neighbor Solicitations. If left unspecified, it defaults to 1 second.
This option instructs the rs6 tool to the amount of time to pause between sending Router Solicitation messages. If left unspecified, it defaults to 1 second.
.TP
\-\-verbose, \-v
......@@ -125,7 +126,7 @@ Send 100 Router Solicitation messages using a random Ethernet Source Address and
Send one Router Solicitation message using a random Ethernet Source Address and a random link-local unicast (i.e., fe80::/64) IPv6 Source Address, to the Ethernet Destination Address "33:33:00:00:00:02" (default) and the IPv6 Destination Address "fe80::1". Each Router Solicitation includes a source link-layer address option that contains the Ethernet address "ff:ff:ff:ff:ff:ff". Be verbose.
.SH SEE ALSO
"Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations" (available at: <http://www.si6networks.com/tools/ipv6toolkit/si6networks-ipv6\-nd-assessment.pdf>) for a discussion of Neighbor Discovery vulnerabilities, and additional examples of how to use the na6 tool to exploit them.
"Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations" (available at: <http://www.si6networks.com/tools/ipv6toolkit/si6networks\-ipv6\-nd\-assessment.pdf>) for a discussion of Neighbor Discovery vulnerabilities, and additional examples of how to use the na6 tool to exploit them.
.SH AUTHOR
The
......@@ -138,6 +139,5 @@ for SI6 Networks
.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
This diff is collapsed.
......@@ -3,7 +3,7 @@
tcp6 \- A security assessment tool for TCP/IPv6 implementations
.SH SYNOPSIS
.B tcp6
\-i INTERFACE [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-A HOP_LIMIT] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-c OPEN_TYPE] [\-C CLOSE_TYPE] [\-P PAYLOAD_SIZE] [\-o SRC_PORT] [\-a DST_PORT] [\-X TCP_FLAGS] [\-q TCP_SEQ] [\-Q TCP_ACK] [\-V TCP_URP] [\-w TCP_WIN] [\-W WINDOW_MODE] [\-M WIN_MOD_MODE] [\-Z DATA] [\-N] [\-n] [\-j PREFIX[/LEN]] [\-k PREFIX[/LEN]] [\-J LINK_ADDR] [\-K LINK_ADDR] [\-b PREFIX[/LEN]] [\-g PREFIX[/LEN]] [\-B LINK_ADDR] [\-G LINK_ADDR] [\-F N_SOURCES] [\-T N_PORTS] [\-f] [\-R] [\-L] [\-l] [\-z SECONDS] [\-r RATE] [\-v] [\-h]
\-i INTERFACE [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-A HOP_LIMIT] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-c OPEN_TYPE] [\-C CLOSE_TYPE] [\-P PAYLOAD_SIZE] [\-o SRC_PORT] [\-a DST_PORT] [\-X TCP_FLAGS] [\-q TCP_SEQ] [\-Q TCP_ACK] [\-V TCP_URP] [\-w TCP_WIN] [\-W WINDOW_MODE] [\-M WIN_MOD_MODE] [\-Z DATA] [\-N] [\-n] [\-j PREFIX[/LEN]] [\-k PREFIX[/LEN]] [\-J LINK_ADDR] [\-K LINK_ADDR] [\-b PREFIX[/LEN]] [\-g PREFIX[/LEN]] [\-B LINK_ADDR] [\-G LINK_ADDR] [\-F N_SOURCES] [\-T N_PORTS] [\-f] [\-R] [\-L] [\-l] [\-p PROBE_MODE] [\-z SECONDS] [\-r RATE] [\-v] [\-h]
.SH DESCRIPTION
.B tcp6
......@@ -286,6 +286,31 @@ This option specifies the rate limit to use when performing a remote address sca
This instructs the tcp6 tool to operate in listening mode (possibly after attacking a given node). Note that this option cannot be used in conjunction with the "\-l" ("\-\-loop") option.
.TP
.BI \-p\ PROBE_MODE ,\ \-\-probe\-mode\ PROBE_MODE
This option instructs tcp6 to operate in probe mode. The specific probe mode is specified as an argument to this option (currently, only "script" mode is supported). In probe mode,
.B tcp6
sends probe segments, and waits for response packets. The response packets are decoded based on the selected probe mode.
In the "script" probe mode, the tool decodes TCP segments as follows:
RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...
Where the string RESPONSE is fixed, and RESPONSE_TYPE indicates the response received. As of this version of the tool, the following RESPONSE_TYPE values are supported:
\+ TCP6: Indicates that the tool received a TCP/IPv6 packet
\+ TIMEOUT: Indicates that the tool received no response
If RESPONSE_TYPE is TCP6, RESPONSE code contains the TCP flags set in the receive TCP segment. The TCP flags are encoded as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK), and "U" (URG).
Possibe output lines of the tool are:
RESPONSE:TIMEOUT:
RESPONSE:TCP6:RA:
Note: Future versions of the tool will also decode ICMPv6 error messages, and will include additional data regarding the incoming TCP segments (e.g., ACK value, payload size, etc.).
.TP
.BR \-v\| ,\ \-\-verbose
......@@ -337,6 +362,13 @@ will send an HTTP application request.
Flood the target node (fc00:1::1) with TCP connections (on port 80). On each connection that is established, an HTTP request is sent, and the TCP window is immediately closed. For each forged IPv6 source address ten different TCP source ports are randomized. The bandwidth of the attack is limited to 1000 pps.
\fBExample #5\fR
# tcp6 \-d fc00:1::1 \-a 80 \-\-tcp\-flags A \-\-dst-opt-hdr 8 \-\-payload\-size 50 \-\-probe\-mode script
Send a probe TCP segment to TCP port 80 at fc00:1::1. The probe packet consists of an IPv6 packet with a Destination Options header of 8 bytes, and an IPv6 payload consisting of a TCP segment with the ACK bit set, and 50 data bytes. The probe mode is "script".
.SH SEE ALSO
"Security Assessment of the Transmission Control Protocol (TCP)" (available at: <http://www.gont.com.ar/papers/tn\-03\-09\-security\-assessment\-TCP.pdf>) for a discussion of TCP vulnerabilities.
......@@ -351,6 +383,5 @@ for SI6 Networks
.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just "AUTHOR" and "COPYRIGHT", with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
This diff is collapsed.
......@@ -17,10 +17,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
* Build with: gcc addr6.c -Wall -o addr6
*
* This program has been tested to compile and run on: Debian GNU/Linux 6.0,
* FreeBSD 9.0, NetBSD 5.1, OpenBSD 5.0, and Ubuntu 11.10.
* Build with: make addr6
*
* It requires that the libpcap library be installed on your system.
*
......@@ -1426,7 +1423,7 @@ size_t Strnlen(const char *s, size_t maxlen){
int init_host_list(struct host_list *hlist){
unsigned int i;
bzero(hlist, sizeof(struct host_list));
memset(hlist, 0, sizeof(struct host_list));
if( (hlist->host = malloc(MAX_LIST_ENTRIES * sizeof(struct host_entry *))) == NULL){
return(0);
......@@ -1475,7 +1472,7 @@ struct host_entry *add_host_entry(struct host_list *hlist, struct in6_addr *ipv6
return(NULL);
}
bzero(hentry, sizeof(struct host_entry));
memset(hentry, 0, sizeof(struct host_entry));
hentry->ip6 = *ipv6;
hentry->next= NULL;
......
......@@ -162,7 +162,7 @@ struct stats6{
#ifndef s6_addr32
#define s6_addr32 __u6_addr.__u6_addr32
#endif
#elif defined __linux__
#elif defined __linux__ || ( !defined(__FreeBSD__) && defined(__FreeBSD_kernel__))
#ifndef s6_addr16
#define s6_addr16 __in6_u.__u6_addr16
#endif
......
This diff is collapsed.
......@@ -3,205 +3,7 @@
*
*/
#define LUI long unsigned int
#define ETH_ALEN 6 /* Octets in one ethernet addr */
#define ETH_HLEN 14 /* Total octets in header. */
#define ETH_DATA_LEN 1500 /* Max. octets in payload */
#define ETHERTYPE_IPV6 0x86dd /* IP protocol version 6 */
#define ETHER_ADDR_LEN ETH_ALEN /* size of ethernet addr */
#define ETHER_HDR_LEN ETH_HLEN /* total octets in header */
#define ETHER_ADDR_PLEN 18 /* Includes termination byte */
#define ETHER_ALLNODES_LINK_ADDR "33:33:00:00:00:01"
#define ETHER_ALLROUTERS_LINK_ADDR "33:33:00:00:00:02"
#define MIN_IPV6_HLEN 40
#define MIN_IPV6_MTU 1280
#define MIN_TCP_HLEN 20
#define MIN_UDP_HLEN 20
#define MIN_ICMP6_HLEN 8
#define SLLA_OPT_LEN 1
#define TLLA_OPT_LEN 1
#define MAX_TLLA_OPTION 256
#define IFACE_LENGTH 255
#define ALL_NODES_MULTICAST_ADDR "FF02::1"
#define ALL_ROUTERS_MULTICAST_ADDR "FF02::2"
#define SOLICITED_NODE_MULTICAST_PREFIX "FF02:0:0:0:0:1:FF00::"
/* Support for IPv6 extension headers */
#define FRAG_HDR_SIZE 8
#define MAX_IPV6_PAYLOAD 65535
#define MAX_DST_OPT_HDR 256
#define MAX_DST_OPT_U_HDR MAX_DST_OPT_HDR
#define MAX_HBH_OPT_HDR MAX_DST_OPT_HDR
/* Filter Constants */
#define MAX_BLOCK_SRC 50
#define MAX_BLOCK_DST 50
#define MAX_BLOCK_TARGET 50
#define MAX_BLOCK_LINK_SRC 50
#define MAX_BLOCK_LINK_DST 50
#define MAX_ACCEPT_SRC 50
#define MAX_ACCEPT_DST 50
#define MAX_ACCEPT_TARGET 50
#define MAX_ACCEPT_LINK_SRC 50
#define MAX_ACCEPT_LINK_DST 50
#define ACCEPTED 1
#define BLOCKED 0
#define QUERY_TIMEOUT 65
#define MIN_HBH_LEN 8
/* For discovering the fragment reassembly policy */
#define TIMED_OUT 1
#define FIRST_COPY 2
#define LAST_COPY 3
#define TIME_EXCEEDED 4
#define UNKNOWN_COPY 5
#define MIN_FRAG_SIZE 104