1THC-IPv6(8)                 System Manager's Manual                THC-IPv6(8)
2
3
4

NAME

6       The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)
7

SYNOPSIS

9       tool [options] ...
10
11
12       DESCRIPTION
13              This  manual  page briefly documents each of the attack-toolkit6
14              tools. Not all options are listed here, to see the full list  of
15              options of each tool please invoke them with -h.
16
17              Note  that  on Debian (if you read this on Debian) command names
18              are prefixed with atk6- , so for example the tool alive6  should
19              be invoked as atk6-alive6.  This is a Debian-only modification.
20
21       address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
22              Converts a mac or ipv4 address to an ipv6 address (link local if
23              no prefix is given as 2nd option) or, when  given  an  ipv6  ad‐
24              dress, prints the mac or ipv4 address. Prints all possible vari‐
25              ations. Returns -1 on errors or the number of variations found.
26
27       alive6 <interface> [unicast-or-multicast-address [remote-router]]
28              Shows alive addresses in the segment. If you  specify  a  remote
29              router,  the  packets are sent with a routing header prefixed by
30              fragmentation.
31
32       covert_send6 <interface> <target> <file> [port]
33              Sends the content of FILE covertly to the target.
34
35       covert_send6d <interface> <file>
36              Writes received covertly content to FILE.
37
38       denial6 <interface> <destination> <test-case-number>
39              Performs various denial of service attacks on a target.
40
41       detect_sniffer6 <interface> [target-ip]
42              Tests if systems on the local LAN are  sniffing.  Works  against
43              Windows, Linux, OS/X and *BSD systems.
44
45       dnssecwalk [-e46] <dns-server> <domain>
46              Performs DNSSEC NSEC walking.
47
48       dos_mld <interface>
49              This  tools  prevents new ipv6 interfaces to come up, by sending
50              answers to duplicate ip6 checks (DAD). This results in a DOS for
51              new ipv6 devices.
52
53       dos-new-ip6 <interface>
54              This  tools  prevents new ipv6 interfaces to come up, by sending
55              answers to duplicate ip6 checks (DAD). This results in a DOS for
56              new ipv6 devices.
57
58       detect-new-ip6 <interface> [scriptname]
59              This tools detects new ipv6 addresses joining the local network.
60              If scriptname is supplied, it is executed with the detected IPv6
61              address as option.
62
63       dnsdict6 [-t THREADS] <domain> [dictionary-file]
64              Enumerates  a  domain for DNS entries, it uses a dictionary file
65              if supplied or a built-in list otherwise.
66
67       dnsrevenum6 <dns-server> <ipv6-address>
68              Performs a fast reverse DNS enumeration.
69
70       dump_router6 <interface>
71              Dumps all local routers and their information.
72
73       dump_dhcp6 <interface>
74              Dumps all DHCPv6 servers and their information
75
76       exploit6 <interface> <destination> [test-case-number]
77              Performs exploits of various CVE known IPv6  vulnerabilities  on
78              the destination.
79
80       extract_hosts6 <file>
81              Prints the host parts of ipv6 addresses in file.
82
83       extract_networks6 <interface>
84              Prints the networks found in file.
85
86       fake_advertise6  <interface>  <ip-address> [target-address [own-mac-ad‐
87       dress]]
88              Advertise ipv6 address on the network (with own mac if  not  de‐
89              fined)  sending it to the all-nodes multicast address if no tar‐
90              get specified.
91
92       fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
93              Fake DHCPv6 server. Used to configure an address and set  a  DNS
94              server.
95
96       fake_dns6d <interface> <ipv6-address>
97              Fake  DNS server that serves the same IPv6 address to any lookup
98              request.
99
100       fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
101              Send false DNS update requests.
102
103       fake_mipv6 <interface> <home-address> <home-agent-address> <care-of-ad‐
104       dress>
105              If  the mobile IPv6 home-agent is mis-configured to accept MIPV6
106              updates without IPSEC, this will redirect all packets for  home-
107              address to care-of-address.
108
109       fake_mld6   <interface>  <multicast-address>  [[target-address]  [[ttl]
110       [[own-ip] [own-mac-address]]]]
111              Advertise yourself in a multicast group of your choice.
112
113       fake_mld26 [-l] <interface> <add|delete|query> [multicast-address [tar‐
114       get-address    [ttl   [own-ip   [own-mac-address   [destination-mac-ad‐
115       dress]]]]]]
116              This uses the MLDv2 protocol. Only a subset of what the protocol
117              is able to do is possible to implement via a command line.
118
119       fake_mldrouter6 [-l] <interface> <advertise|solicitate|terminate> [own-
120       ip [own-mac-address]]
121              Announce, delete or solicitate MLD router - yourself or others.
122
123       fake_pim6 [-t ttl] [-s src6] [-d dst6] <interface> {<hello>  [dr_prior‐
124       ity]|{join|prune} <neighbor6> <multicast6> <target6>}
125              The hello command takes optionally the DR priority (default: 0).
126
127       fake_router6 <interface> <router-ip-link-local
128              network-address/prefix-length>   <mtu>   [mac-address]  Announce
129              yourself as a router and try to become the default router.  If a
130              non-existing mac-address is supplied, this results in a DOS.
131
132       fake_router26 <interface>
133              Like fake_router6 with more options available.
134
135       fake_solicitate6 <interface> <solicited-ip>
136              Solicits  IPv6  address  on  the network, sending it to the all-
137              nodes multicast address.
138
139       firewall6 [-u] <interface> <destination> <port> [test-case-no]
140              Performs various ACL bypass attempts to  check  implementations.
141              Defaults  to TCP ports, option -u switches to UDP.  For all test
142              cases to work, ICMPv6 ping to the destination must be allowed.
143
144       flood_advertise6 <interface>
145              Flood the local network with neighbor advertisements.
146
147       flood_dhcpc6 <interface> [domain-name]
148              DHCP client flooder. Use to deplete the IP address pool a  DHCP6
149              server  is  offering.  Note:  if the pool is very large, this is
150              rather senseless.
151
152       flood_mld6 <interface>
153              Flood the local network with MLD reports.
154
155       flood_mld26 <interface>
156              Flood the local network with MLDv2 reports.
157
158       flood_mldrouter6 <interface>
159              Flood the local network with MLD router advertisements.
160
161       flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
162              Flood a target with ICMPv6 redirects
163
164       flood_router6 <interface>
165              Flood the local network with router advertisements.
166
167       flood_router26 <interface>
168              Similar to flood_router6 but with more options available.
169
170       flood_rs6 [-sS] interface [target]
171              Flood a network with ICMPv6 router solicitation messages
172
173       flood_solicitate6 <interface> [target-ip]
174              Flood the network with neighbor solicitations.
175
176       four2six  [-FHD]  [-s  src6]  interface  ipv6-to-ipv4-gateway  ipv4-src
177       ipv4-dst [port]
178              Send  (spoofed)  packets  over  a 4to6 tunnel (IPv4 packets over
179              IPv6 networks)
180
181       fragmentation6 <interface> <target-ip>
182              Performs fragment firewall and implementation checks,  including
183              denial-of-service.
184
185       fuzz_ip6   [-x]   [-t  number  |  -T  number]  [-p  number]  [-IFSDHRJ]
186       [-1|-2|-3|-4|-5|-6|-7] <interface> <unicast-or-multicast-address>  [ad‐
187       dress-in-data-pkt]
188              Fuzzes an icmp6 packet.
189
190       fuzz_dhcps6 [-t number | -T number] [-e number | -T number] [-p number]
191       [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
192              Fuzzes a DHCPv6 server on specified packet  types.   implementa‐
193              tion6 <interface> <destination> [test-case-number] Performs some
194              ipv6 implementation checks, can be used to test firewalls too.
195
196       implementation6d <interface>
197              Identifies test packets by the implementation6 tool,  useful  to
198              check what packets passed a firewall.
199
200       inject_alive6 [-ap] <interface>
201              This  tool answers to keep-alive requests on PPPoE and 6in4 tun‐
202              nels; for PPPoE0t also sends keep-alive requests.  Note that the
203              appropriate  environment  variable THC_IPV6_{PPPOE|6IN4} must be
204              set.  Option -a will actively send alive requests every 15  sec‐
205              onds.  Option -p will not send replies to alive requests.
206
207       inverse_lookup6 <interface> <mac-address>
208              Performs  an  inverse  address  query, to get the IPv6 addresses
209              that are assigned to a MAC address. Note that only  few  systems
210              support this yet.
211
212       kill_router6 <interface> <target-ip>
213              Announce  that target router is going down to delete it from the
214              routing tables. If you supply a '*' as target-ip, this tool will
215              sniff the network for RAs and immediately send the kill packet.
216
217       ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
218              Flood  the target /64 network with ICMPv6 TooBig error messages.
219              This tool version is manyfold more effective  than  ndpexhaust6.
220              -a       add  a hop-by-hop header with router alert.  -c      do
221              not calculate the checksum to save time.   -p       send  ICMPv6
222              Echo  Requests.   -P       send ICMPv6 Echo Reply.  -T      send
223              ICMPv6 Time-to-live-exceeded.  -U      send  ICMPv6  Unreachable
224              (no  route).  -r      randomize the source from your /64 prefix.
225              -R      randomize the source fully.  -s sourceip6  use  this  as
226              source ipv6 address.
227
228       ndpexhaust6 <interface> <target-network>
229              Randomly pings IPs in target network.
230
231       node_query6 <interface> <target-ip>
232              Sends  an  ICMPv6 node query request to the target and dumps the
233              replies.
234
235       parasite6 <interface> [fake-mac]
236              This is an "ARP spoofer" for IPv6, redirecting all local traffic
237              to  your  own  system (or nirvana if fake-mac does not exist) by
238              answering falsely to Neighbor Solicitation requests,  specifying
239              FAKE-MAC results in a local DOS.
240
241       passive_discovery6 <interface> [scriptname]
242              Passively  sniffs  the  network  and  dump all client's IPv6 ad‐
243              dresses detected. If scriptname is supplied, it is  called  with
244              the  detected  IPv6 address as first and the interface as second
245              parameters.
246
247       randicmp6 <interface> <target-ip>
248              Sends all ICMPv6 type and code combinations to target.
249
250       redir6 <interface> <src-ip> <target-ip> <original-router>  <new-router>
251       [new-router-mac]
252              Implant a route into src-ip, which redirects all traffic to tar‐
253              get-ip to new-ip. You must know the router  which  would  handle
254              the  route.   If the new-router-mac does not exist, this results
255              in a DOS.
256
257       redirsniff6 <interface> <victim-ip> <destination-ip>  <original-router>
258       [<new-router> [new-router-mac]]
259              Implant  a  route into victim-ip, which redirects all traffic to
260              destination-ip to new-router. You must  know  the  router  which
261              would  handle  the  route.  If the new-router and new-router-mac
262              does not exist, this results in a DoS.
263
264       rsmurf6 <interface> <victim-ip>
265              Smurfs the local network of the victim. Note: this depends on an
266              implementation error, currently only verified on Linux (fixed in
267              current versions).  Evil: "ff02::1" as victim will DOS your  lo‐
268              cal LAN completely.
269
270       smurf6 <interface> <victim-ip> [multicast-network-address]
271              Smurf  the  target  with ICMPv6 echo replies. Target of echo re‐
272              quest is the local all-nodes multicast address if not specified.
273
274       sendpees6 <interface> <key_length> <prefix> <victim-ip>
275              Send SEND neighbor solicitation messages and make target to ver‐
276              ify a lota CGA and RSA signatures.
277
278       sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
279              Multithreaded version of sendpees6.
280
281       trace6 [-d] <interface> targetaddress [port]
282              A basic but very fast traceroute6 program.
283
284       thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
285              Craft your special ICMPv6 echo request packet.
286
287       thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
288              Flood the target port with TCP-SYN packets. If you supply "x" as
289              port, it is randomized.
290
291       toobig6 <interface> <target-ip> <existing-ip> <mtu>
292              Implants the specified mtu on the target
293

SEE ALSO

295       nmap(1), amap(1), dsniff(8).
296

AUTHOR

298       thc-ipv6 was written by van Hauser <vh@thc.org> / THC
299
300       The homepage for this toolkit is: https://github.com/vanhauser-thc/thc-
301       ipv6
302
303       This  manual  page was written by Maykel Moya <mmoya@mmoya.org> and Ar‐
304       turo Borrero Gonzalez <arturo@debian.org>, for the Debian project  (but
305       may  be  used by others). It's based on previous work by Michael Gebet‐
306       sroither <gebi@grml.org>.
307
308
309
310Summer 2015                     ATTACK-TOOLKIT6                    THC-IPv6(8)
Impressum