1THC-IPv6(8)                 System Manager's Manual                THC-IPv6(8)
2
3
4

NAME

6       The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)
7

SYNOPSIS

9       tool [options] ...
10
11
12       DESCRIPTION
13              This  manual  page briefly documents each of the attack-toolkit6
14              tools. Not all options are listed here, to see the full list  of
15              options of each tool please invoke them with -h.
16
17              Note  that  on Debian (if you read this on Debian) command names
18              are prefixed with atk6- , so for example the tool alive6  should
19              be invoked as atk6-alive6.  This is a Debian-only modification.
20
21       address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
22              Converts a mac or ipv4 address to an ipv6 address (link local if
23              no prefix is given  as  2nd  option)  or,  when  given  an  ipv6
24              address,  prints  the  mac  or ipv4 address. Prints all possible
25              variations. Returns -1 on errors or  the  number  of  variations
26              found.
27
28       alive6 <interface> [unicast-or-multicast-address [remote-router]]
29              Shows  alive  addresses  in the segment. If you specify a remote
30              router, the packets are sent with a routing header  prefixed  by
31              fragmentation.
32
33       covert_send6 <interface> <target> <file> [port]
34              Sends the content of FILE covertly to the target.
35
36       covert_send6d <interface> <file>
37              Writes received covertly content to FILE.
38
39       denial6 <interface> <destination> <test-case-number>
40              Performs various denial of service attacks on a target.
41
42       detect_sniffer6 <interface> [target-ip]
43              Tests  if  systems  on the local LAN are sniffing. Works against
44              Windows, Linux, OS/X and *BSD systems.
45
46       dnssecwalk [-e46] <dns-server> <domain>
47              Performs DNSSEC NSEC walking.
48
49       dos_mld <interface>
50              This tools prevents new ipv6 interfaces to come up,  by  sending
51              answers to duplicate ip6 checks (DAD). This results in a DOS for
52              new ipv6 devices.
53
54       dos-new-ip6 <interface>
55              This tools prevents new ipv6 interfaces to come up,  by  sending
56              answers to duplicate ip6 checks (DAD). This results in a DOS for
57              new ipv6 devices.
58
59       detect-new-ip6 <interface> [scriptname]
60              This tools detects new ipv6 addresses joining the local network.
61              If scriptname is supplied, it is executed with the detected IPv6
62              address as option.
63
64       dnsdict6 [-t THREADS] <domain> [dictionary-file]
65              Enumerates a domain for DNS entries, it uses a  dictionary  file
66              if supplied or a built-in list otherwise.
67
68       dnsrevenum6 <dns-server> <ipv6-address>
69              Performs a fast reverse DNS enumeration.
70
71       dump_router6 <interface>
72              Dumps all local routers and their information.
73
74       dump_dhcp6 <interface>
75              Dumps all DHCPv6 servers and their information
76
77       exploit6 <interface> <destination> [test-case-number]
78              Performs  exploits  of various CVE known IPv6 vulnerabilities on
79              the destination.
80
81       extract_hosts6 <file>
82              Prints the host parts of ipv6 addresses in file.
83
84       extract_networks6 <interface>
85              Prints the networks found in file.
86
87       fake_advertise6  <interface>  <ip-address>  [target-address   [own-mac-
88       address]]
89              Advertise  ipv6  address  on  the  network  (with own mac if not
90              defined) sending it to the all-nodes  multicast  address  if  no
91              target specified.
92
93       fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
94              Fake  DHCPv6  server. Used to configure an address and set a DNS
95              server.
96
97       fake_dns6d <interface> <ipv6-address>
98              Fake DNS server that serves the same IPv6 address to any  lookup
99              request.
100
101       fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
102              Send false DNS update requests.
103
104       fake_mipv6  <interface>  <home-address>  <home-agent-address> <care-of-
105       address>
106              If the mobile IPv6 home-agent is mis-configured to accept  MIPV6
107              updates  without IPSEC, this will redirect all packets for home-
108              address to care-of-address.
109
110       fake_mld6  <interface>  <multicast-address>  [[target-address]   [[ttl]
111       [[own-ip] [own-mac-address]]]]
112              Advertise yourself in a multicast group of your choice.
113
114       fake_mld26 [-l] <interface> <add|delete|query> [multicast-address [tar‐
115       get-address    [ttl    [own-ip    [own-mac-address    [destination-mac-
116       address]]]]]]
117              This uses the MLDv2 protocol. Only a subset of what the protocol
118              is able to do is possible to implement via a command line.
119
120       fake_mldrouter6 [-l] <interface> <advertise|solicitate|terminate> [own-
121       ip [own-mac-address]]
122              Announce, delete or solicitate MLD router - yourself or others.
123
124       fake_pim6  [-t ttl] [-s src6] [-d dst6] <interface> {<hello> [dr_prior‐
125       ity]|{join|prune} <neighbor6> <multicast6> <target6>}
126              The hello command takes optionally the DR priority (default: 0).
127
128       fake_router6 <interface> <router-ip-link-local
129              network-address/prefix-length>  <mtu>   [mac-address]   Announce
130              yourself as a router and try to become the default router.  If a
131              non-existing mac-address is supplied, this results in a DOS.
132
133       fake_router26 <interface>
134              Like fake_router6 with more options available.
135
136       fake_solicitate6 <interface> <solicited-ip>
137              Solicits IPv6 address on the network, sending  it  to  the  all-
138              nodes multicast address.
139
140       firewall6 [-u] <interface> <destination> <port> [test-case-no]
141              Performs  various  ACL bypass attempts to check implementations.
142              Defaults to TCP ports, option -u switches to UDP.  For all  test
143              cases to work, ICMPv6 ping to the destination must be allowed.
144
145       flood_advertise6 <interface>
146              Flood the local network with neighbor advertisements.
147
148       flood_dhcpc6 <interface> [domain-name]
149              DHCP  client flooder. Use to deplete the IP address pool a DHCP6
150              server is offering. Note: if the pool is  very  large,  this  is
151              rather senseless.
152
153       flood_mld6 <interface>
154              Flood the local network with MLD reports.
155
156       flood_mld26 <interface>
157              Flood the local network with MLDv2 reports.
158
159       flood_mldrouter6 <interface>
160              Flood the local network with MLD router advertisements.
161
162       flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
163              Flood a target with ICMPv6 redirects
164
165       flood_router6 <interface>
166              Flood the local network with router advertisements.
167
168       flood_router26 <interface>
169              Similar to flood_router6 but with more options available.
170
171       flood_rs6 [-sS] interface [target]
172              Flood a network with ICMPv6 router solicitation messages
173
174       flood_solicitate6 <interface> [target-ip]
175              Flood the network with neighbor solicitations.
176
177       four2six  [-FHD]  [-s  src6]  interface  ipv6-to-ipv4-gateway  ipv4-src
178       ipv4-dst [port]
179              Send (spoofed) packets over a 4to6  tunnel  (IPv4  packets  over
180              IPv6 networks)
181
182       fragmentation6 <interface> <target-ip>
183              Performs  fragment firewall and implementation checks, including
184              denial-of-service.
185
186       fuzz_ip6  [-x]  [-t  number  |  -T  number]  [-p   number]   [-IFSDHRJ]
187       [-1|-2|-3|-4|-5|-6|-7]    <interface>    <unicast-or-multicast-address>
188       [address-in-data-pkt]
189              Fuzzes an icmp6 packet.
190
191       fuzz_dhcps6 [-t number | -T number] [-e number | -T number] [-p number]
192       [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
193              Fuzzes  a  DHCPv6 server on specified packet types.  implementa‐
194              tion6 <interface> <destination> [test-case-number] Performs some
195              ipv6 implementation checks, can be used to test firewalls too.
196
197       implementation6d <interface>
198              Identifies  test  packets by the implementation6 tool, useful to
199              check what packets passed a firewall.
200
201       inject_alive6 [-ap] <interface>
202              This tool answers to keep-alive requests on PPPoE and 6in4  tun‐
203              nels; for PPPoE0t also sends keep-alive requests.  Note that the
204              appropriate environment variable THC_IPV6_{PPPOE|6IN4}  must  be
205              set.   Option -a will actively send alive requests every 15 sec‐
206              onds.  Option -p will not send replies to alive requests.
207
208       inverse_lookup6 <interface> <mac-address>
209              Performs an inverse address query, to  get  the  IPv6  addresses
210              that  are  assigned to a MAC address. Note that only few systems
211              support this yet.
212
213       kill_router6 <interface> <target-ip>
214              Announce that target router is going down to delete it from  the
215              routing tables. If you supply a '*' as target-ip, this tool will
216              sniff the network for RAs and immediately send the kill packet.
217
218       ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
219              Flood the target /64 network with ICMPv6 TooBig error  messages.
220              This  tool  version is manyfold more effective than ndpexhaust6.
221              -a      add a hop-by-hop header with router alert.   -c       do
222              not  calculate  the  checksum to save time.  -p      send ICMPv6
223              Echo Requests.  -P      send ICMPv6 Echo  Reply.   -T       send
224              ICMPv6  Time-to-live-exceeded.   -U      send ICMPv6 Unreachable
225              (no route).  -r      randomize the source from your /64  prefix.
226              -R       randomize  the source fully.  -s sourceip6  use this as
227              source ipv6 address.
228
229       ndpexhaust6 <interface> <target-network>
230              Randomly pings IPs in target network.
231
232       node_query6 <interface> <target-ip>
233              Sends an ICMPv6 node query request to the target and  dumps  the
234              replies.
235
236       parasite6 <interface> [fake-mac]
237              This is an "ARP spoofer" for IPv6, redirecting all local traffic
238              to your own system (or nirvana if fake-mac does  not  exist)  by
239              answering  falsely to Neighbor Solicitation requests, specifying
240              FAKE-MAC results in a local DOS.
241
242       passive_discovery6 <interface> [scriptname]
243              Passively  sniffs  the  network  and  dump  all  client's   IPv6
244              addresses detected. If scriptname is supplied, it is called with
245              the detected IPv6 address as first and the interface  as  second
246              parameters.
247
248       randicmp6 <interface> <target-ip>
249              Sends all ICMPv6 type and code combinations to target.
250
251       redir6  <interface> <src-ip> <target-ip> <original-router> <new-router>
252       [new-router-mac]
253              Implant a route into src-ip, which redirects all traffic to tar‐
254              get-ip  to  new-ip.  You must know the router which would handle
255              the route.  If the new-router-mac does not exist,  this  results
256              in a DOS.
257
258       redirsniff6  <interface> <victim-ip> <destination-ip> <original-router>
259       [<new-router> [new-router-mac]]
260              Implant a route into victim-ip, which redirects all  traffic  to
261              destination-ip  to  new-router.  You  must know the router which
262              would handle the route.  If the  new-router  and  new-router-mac
263              does not exist, this results in a DoS.
264
265       rsmurf6 <interface> <victim-ip>
266              Smurfs the local network of the victim. Note: this depends on an
267              implementation error, currently only verified on Linux (fixed in
268              current  versions).   Evil:  "ff02::1"  as  victim will DOS your
269              local LAN completely.
270
271       smurf6 <interface> <victim-ip> [multicast-network-address]
272              Smurf the target  with  ICMPv6  echo  replies.  Target  of  echo
273              request  is  the local all-nodes multicast address if not speci‐
274              fied.
275
276       sendpees6 <interface> <key_length> <prefix> <victim-ip>
277              Send SEND neighbor solicitation messages and make target to ver‐
278              ify a lota CGA and RSA signatures.
279
280       sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
281              Multithreaded version of sendpees6.
282
283       trace6 [-d] <interface> targetaddress [port]
284              A basic but very fast traceroute6 program.
285
286       thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
287              Craft your special ICMPv6 echo request packet.
288
289       thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
290              Flood the target port with TCP-SYN packets. If you supply "x" as
291              port, it is randomized.
292
293       toobig6 <interface> <target-ip> <existing-ip> <mtu>
294              Implants the specified mtu on the target
295

SEE ALSO

297       nmap(1), amap(1), dsniff(8).
298

AUTHOR

300       thc-ipv6 was written by van Hauser <vh@thc.org> / THC
301
302       The homepage for this toolkit is: http://www.thc.org/thc-ipv6
303
304       This manual page was  written  by  Maykel  Moya  <mmoya@mmoya.org>  and
305       Arturo  Borrero  Gonzalez  <arturo@debian.org>,  for the Debian project
306       (but may be used by others). It's based on  previous  work  by  Michael
307       Gebetsroither <gebi@grml.org>.
308
309
310
311Summer 2015                     ATTACK-TOOLKIT6                    THC-IPv6(8)
Impressum