1THC-IPv6(8) System Manager's Manual THC-IPv6(8)
2
6 The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)
7
9 tool [options] ...
10 DESCRIPTION
13 This manual page briefly documents each of the attack-toolkit6
14 tools. Not all options are listed here, to see the full list of
15 options of each tool please invoke them with -h.
16 Note that on Debian (if you read this on Debian) command names
18 are prefixed with atk6- , so for example the tool alive6 should
19 be invoked as atk6-alive6. This is a Debian-only modification.
20 address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
22 Converts a mac or ipv4 address to an ipv6 address (link local if
23 no prefix is given as 2nd option) or, when given an ipv6
24 address, prints the mac or ipv4 address. Prints all possible
25 variations. Returns -1 on errors or the number of variations
26 found.
27 alive6 <interface> [unicast-or-multicast-address [remote-router]]
29 Shows alive addresses in the segment. If you specify a remote
30 router, the packets are sent with a routing header prefixed by
31 fragmentation.
32 covert_send6 <interface> <target> <file> [port]
34 Sends the content of FILE covertly to the target.
35 covert_send6d <interface> <file>
37 Writes received covertly content to FILE.
38 denial6 <interface> <destination> <test-case-number>
40 Performs various denial of service attacks on a target.
41 detect_sniffer6 <interface> [target-ip]
43 Tests if systems on the local LAN are sniffing. Works against
44 Windows, Linux, OS/X and *BSD systems.
45 dnssecwalk [-e46] <dns-server> <domain>
47 Performs DNSSEC NSEC walking.
48 dos_mld <interface>
50 This tools prevents new ipv6 interfaces to come up, by sending
51 answers to duplicate ip6 checks (DAD). This results in a DOS for
52 new ipv6 devices.
53 dos-new-ip6 <interface>
55 This tools prevents new ipv6 interfaces to come up, by sending
56 answers to duplicate ip6 checks (DAD). This results in a DOS for
57 new ipv6 devices.
58 detect-new-ip6 <interface> [scriptname]
60 This tools detects new ipv6 addresses joining the local network.
61 If scriptname is supplied, it is executed with the detected IPv6
62 address as option.
63 dnsdict6 [-t THREADS] <domain> [dictionary-file]
65 Enumerates a domain for DNS entries, it uses a dictionary file
66 if supplied or a built-in list otherwise.
67 dnsrevenum6 <dns-server> <ipv6-address>
69 Performs a fast reverse DNS enumeration.
70 dump_router6 <interface>
72 Dumps all local routers and their information.
73 dump_dhcp6 <interface>
75 Dumps all DHCPv6 servers and their information
76 exploit6 <interface> <destination> [test-case-number]
78 Performs exploits of various CVE known IPv6 vulnerabilities on
79 the destination.
80 extract_hosts6 <file>
82 Prints the host parts of ipv6 addresses in file.
83 extract_networks6 <interface>
85 Prints the networks found in file.
86 fake_advertise6 <interface> <ip-address> [target-address [own-mac-
88 address]]
89 Advertise ipv6 address on the network (with own mac if not
90 defined) sending it to the all-nodes multicast address if no
91 target specified.
92 fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
94 Fake DHCPv6 server. Used to configure an address and set a DNS
95 server.
96 fake_dns6d <interface> <ipv6-address>
98 Fake DNS server that serves the same IPv6 address to any lookup
99 request.
100 fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
102 Send false DNS update requests.
103 fake_mipv6 <interface> <home-address> <home-agent-address> <care-of-
105 address>
106 If the mobile IPv6 home-agent is mis-configured to accept MIPV6
107 updates without IPSEC, this will redirect all packets for home-
108 address to care-of-address.
109 fake_mld6 <interface> <multicast-address> [[target-address] [[ttl]
111 [[own-ip] [own-mac-address]]]]
112 Advertise yourself in a multicast group of your choice.
113 fake_mld26 [-l] <interface> <add|delete|query> [multicast-address [tar‐
115 get-address [ttl [own-ip [own-mac-address [destination-mac-
116 address]]]]]]
117 This uses the MLDv2 protocol. Only a subset of what the protocol
118 is able to do is possible to implement via a command line.
119 fake_mldrouter6 [-l] <interface> <advertise|solicitate|terminate> [own-
121 ip [own-mac-address]]
122 Announce, delete or solicitate MLD router - yourself or others.
123 fake_pim6 [-t ttl] [-s src6] [-d dst6] <interface> {<hello> [dr_prior‐
125 ity]|{join|prune} <neighbor6> <multicast6> <target6>}
126 The hello command takes optionally the DR priority (default: 0).
127 fake_router6 <interface> <router-ip-link-local
129 network-address/prefix-length> <mtu> [mac-address] Announce
130 yourself as a router and try to become the default router. If a
131 non-existing mac-address is supplied, this results in a DOS.
132 fake_router26 <interface>
134 Like fake_router6 with more options available.
135 fake_solicitate6 <interface> <solicited-ip>
137 Solicits IPv6 address on the network, sending it to the all-
138 nodes multicast address.
139 firewall6 [-u] <interface> <destination> <port> [test-case-no]
141 Performs various ACL bypass attempts to check implementations.
142 Defaults to TCP ports, option -u switches to UDP. For all test
143 cases to work, ICMPv6 ping to the destination must be allowed.
144 flood_advertise6 <interface>
146 Flood the local network with neighbor advertisements.
147 flood_dhcpc6 <interface> [domain-name]
149 DHCP client flooder. Use to deplete the IP address pool a DHCP6
150 server is offering. Note: if the pool is very large, this is
151 rather senseless.
152 flood_mld6 <interface>
154 Flood the local network with MLD reports.
155 flood_mld26 <interface>
157 Flood the local network with MLDv2 reports.
158 flood_mldrouter6 <interface>
160 Flood the local network with MLD router advertisements.
161 flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
163 Flood a target with ICMPv6 redirects
164 flood_router6 <interface>
166 Flood the local network with router advertisements.
167 flood_router26 <interface>
169 Similar to flood_router6 but with more options available.
170 flood_rs6 [-sS] interface [target]
172 Flood a network with ICMPv6 router solicitation messages
173 flood_solicitate6 <interface> [target-ip]
175 Flood the network with neighbor solicitations.
176 four2six [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src
178 ipv4-dst [port]
179 Send (spoofed) packets over a 4to6 tunnel (IPv4 packets over
180 IPv6 networks)
181 fragmentation6 <interface> <target-ip>
183 Performs fragment firewall and implementation checks, including
184 denial-of-service.
185 fuzz_ip6 [-x] [-t number | -T number] [-p number] [-IFSDHRJ]
187 [-1|-2|-3|-4|-5|-6|-7] <interface> <unicast-or-multicast-address>
188 [address-in-data-pkt]
189 Fuzzes an icmp6 packet.
190 fuzz_dhcps6 [-t number | -T number] [-e number | -T number] [-p number]
192 [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
193 Fuzzes a DHCPv6 server on specified packet types. implementa‐
194 tion6 <interface> <destination> [test-case-number] Performs some
195 ipv6 implementation checks, can be used to test firewalls too.
196 implementation6d <interface>
198 Identifies test packets by the implementation6 tool, useful to
199 check what packets passed a firewall.
200 inject_alive6 [-ap] <interface>
202 This tool answers to keep-alive requests on PPPoE and 6in4 tun‐
203 nels; for PPPoE0t also sends keep-alive requests. Note that the
204 appropriate environment variable THC_IPV6_{PPPOE|6IN4} must be
205 set. Option -a will actively send alive requests every 15 sec‐
206 onds. Option -p will not send replies to alive requests.
207 inverse_lookup6 <interface> <mac-address>
209 Performs an inverse address query, to get the IPv6 addresses
210 that are assigned to a MAC address. Note that only few systems
211 support this yet.
212 kill_router6 <interface> <target-ip>
214 Announce that target router is going down to delete it from the
215 routing tables. If you supply a '*' as target-ip, this tool will
216 sniff the network for RAs and immediately send the kill packet.
217 ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
219 Flood the target /64 network with ICMPv6 TooBig error messages.
220 This tool version is manyfold more effective than ndpexhaust6.
221 -a add a hop-by-hop header with router alert. -c do
222 not calculate the checksum to save time. -p send ICMPv6
223 Echo Requests. -P send ICMPv6 Echo Reply. -T send
224 ICMPv6 Time-to-live-exceeded. -U send ICMPv6 Unreachable
225 (no route). -r randomize the source from your /64 prefix.
226 -R randomize the source fully. -s sourceip6 use this as
227 source ipv6 address.
228 ndpexhaust6 <interface> <target-network>
230 Randomly pings IPs in target network.
231 node_query6 <interface> <target-ip>
233 Sends an ICMPv6 node query request to the target and dumps the
234 replies.
235 parasite6 <interface> [fake-mac]
237 This is an "ARP spoofer" for IPv6, redirecting all local traffic
238 to your own system (or nirvana if fake-mac does not exist) by
239 answering falsely to Neighbor Solicitation requests, specifying
240 FAKE-MAC results in a local DOS.
241 passive_discovery6 <interface> [scriptname]
243 Passively sniffs the network and dump all client's IPv6
244 addresses detected. If scriptname is supplied, it is called with
245 the detected IPv6 address as first and the interface as second
246 parameters.
247 randicmp6 <interface> <target-ip>
249 Sends all ICMPv6 type and code combinations to target.
250 redir6 <interface> <src-ip> <target-ip> <original-router> <new-router>
252 [new-router-mac]
253 Implant a route into src-ip, which redirects all traffic to tar‐
254 get-ip to new-ip. You must know the router which would handle
255 the route. If the new-router-mac does not exist, this results
256 in a DOS.
257 redirsniff6 <interface> <victim-ip> <destination-ip> <original-router>
259 [<new-router> [new-router-mac]]
260 Implant a route into victim-ip, which redirects all traffic to
261 destination-ip to new-router. You must know the router which
262 would handle the route. If the new-router and new-router-mac
263 does not exist, this results in a DoS.
264 rsmurf6 <interface> <victim-ip>
266 Smurfs the local network of the victim. Note: this depends on an
267 implementation error, currently only verified on Linux (fixed in
268 current versions). Evil: "ff02::1" as victim will DOS your
269 local LAN completely.
270 smurf6 <interface> <victim-ip> [multicast-network-address]
272 Smurf the target with ICMPv6 echo replies. Target of echo
273 request is the local all-nodes multicast address if not speci‐
274 fied.
275 sendpees6 <interface> <key_length> <prefix> <victim-ip>
277 Send SEND neighbor solicitation messages and make target to ver‐
278 ify a lota CGA and RSA signatures.
279 sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
281 Multithreaded version of sendpees6.
282 trace6 [-d] <interface> targetaddress [port]
284 A basic but very fast traceroute6 program.
285 thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
287 Craft your special ICMPv6 echo request packet.
288 thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
290 Flood the target port with TCP-SYN packets. If you supply "x" as
291 port, it is randomized.
292 toobig6 <interface> <target-ip> <existing-ip> <mtu>
294 Implants the specified mtu on the target
295
297 nmap(1), amap(1), dsniff(8).
298
300 thc-ipv6 was written by van Hauser <vh@thc.org> / THC
301 The homepage for this toolkit is: http://www.thc.org/thc-ipv6
303 This manual page was written by Maykel Moya <mmoya@mmoya.org> and
305 Arturo Borrero Gonzalez <arturo@debian.org>, for the Debian project
306 (but may be used by others). It's based on previous work by Michael
307 Gebetsroither <gebi@grml.org>.
308Summer 2015 ATTACK-TOOLKIT6 THC-IPv6(8)