1THC-IPv6(8) System Manager's Manual THC-IPv6(8)
2
6 The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)
7
9 tool [options] ...
10 DESCRIPTION
13 This manual page briefly documents each of the attack-toolkit6
14 tools. Not all options are listed here, to see the full list of
15 options of each tool please invoke them with -h.
16 Note that on Debian (if you read this on Debian) command names
18 are prefixed with atk6- , so for example the tool alive6 should
19 be invoked as atk6-alive6. This is a Debian-only modification.
20 address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
22 Converts a mac or ipv4 address to an ipv6 address (link local if
23 no prefix is given as 2nd option) or, when given an ipv6 ad‐
24 dress, prints the mac or ipv4 address. Prints all possible vari‐
25 ations. Returns -1 on errors or the number of variations found.
26 alive6 <interface> [unicast-or-multicast-address [remote-router]]
28 Shows alive addresses in the segment. If you specify a remote
29 router, the packets are sent with a routing header prefixed by
30 fragmentation.
31 covert_send6 <interface> <target> <file> [port]
33 Sends the content of FILE covertly to the target.
34 covert_send6d <interface> <file>
36 Writes received covertly content to FILE.
37 denial6 <interface> <destination> <test-case-number>
39 Performs various denial of service attacks on a target.
40 detect_sniffer6 <interface> [target-ip]
42 Tests if systems on the local LAN are sniffing. Works against
43 Windows, Linux, OS/X and *BSD systems.
44 dnssecwalk [-e46] <dns-server> <domain>
46 Performs DNSSEC NSEC walking.
47 dos_mld <interface>
49 This tools prevents new ipv6 interfaces to come up, by sending
50 answers to duplicate ip6 checks (DAD). This results in a DOS for
51 new ipv6 devices.
52 dos-new-ip6 <interface>
54 This tools prevents new ipv6 interfaces to come up, by sending
55 answers to duplicate ip6 checks (DAD). This results in a DOS for
56 new ipv6 devices.
57 detect-new-ip6 <interface> [scriptname]
59 This tools detects new ipv6 addresses joining the local network.
60 If scriptname is supplied, it is executed with the detected IPv6
61 address as option.
62 dnsdict6 [-t THREADS] <domain> [dictionary-file]
64 Enumerates a domain for DNS entries, it uses a dictionary file
65 if supplied or a built-in list otherwise.
66 dnsrevenum6 <dns-server> <ipv6-address>
68 Performs a fast reverse DNS enumeration.
69 dump_router6 <interface>
71 Dumps all local routers and their information.
72 dump_dhcp6 <interface>
74 Dumps all DHCPv6 servers and their information
75 exploit6 <interface> <destination> [test-case-number]
77 Performs exploits of various CVE known IPv6 vulnerabilities on
78 the destination.
79 extract_hosts6 <file>
81 Prints the host parts of ipv6 addresses in file.
82 extract_networks6 <interface>
84 Prints the networks found in file.
85 fake_advertise6 <interface> <ip-address> [target-address [own-mac-ad‐
87 dress]]
88 Advertise ipv6 address on the network (with own mac if not de‐
89 fined) sending it to the all-nodes multicast address if no tar‐
90 get specified.
91 fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
93 Fake DHCPv6 server. Used to configure an address and set a DNS
94 server.
95 fake_dns6d <interface> <ipv6-address>
97 Fake DNS server that serves the same IPv6 address to any lookup
98 request.
99 fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
101 Send false DNS update requests.
102 fake_mipv6 <interface> <home-address> <home-agent-address> <care-of-ad‐
104 dress>
105 If the mobile IPv6 home-agent is mis-configured to accept MIPV6
106 updates without IPSEC, this will redirect all packets for home-
107 address to care-of-address.
108 fake_mld6 <interface> <multicast-address> [[target-address] [[ttl]
110 [[own-ip] [own-mac-address]]]]
111 Advertise yourself in a multicast group of your choice.
112 fake_mld26 [-l] <interface> <add|delete|query> [multicast-address [tar‐
114 get-address [ttl [own-ip [own-mac-address [destination-mac-ad‐
115 dress]]]]]]
116 This uses the MLDv2 protocol. Only a subset of what the protocol
117 is able to do is possible to implement via a command line.
118 fake_mldrouter6 [-l] <interface> <advertise|solicitate|terminate> [own-
120 ip [own-mac-address]]
121 Announce, delete or solicitate MLD router - yourself or others.
122 fake_pim6 [-t ttl] [-s src6] [-d dst6] <interface> {<hello> [dr_prior‐
124 ity]|{join|prune} <neighbor6> <multicast6> <target6>}
125 The hello command takes optionally the DR priority (default: 0).
126 fake_router6 <interface> <router-ip-link-local
128 network-address/prefix-length> <mtu> [mac-address] Announce
129 yourself as a router and try to become the default router. If a
130 non-existing mac-address is supplied, this results in a DOS.
131 fake_router26 <interface>
133 Like fake_router6 with more options available.
134 fake_solicitate6 <interface> <solicited-ip>
136 Solicits IPv6 address on the network, sending it to the all-
137 nodes multicast address.
138 firewall6 [-u] <interface> <destination> <port> [test-case-no]
140 Performs various ACL bypass attempts to check implementations.
141 Defaults to TCP ports, option -u switches to UDP. For all test
142 cases to work, ICMPv6 ping to the destination must be allowed.
143 flood_advertise6 <interface>
145 Flood the local network with neighbor advertisements.
146 flood_dhcpc6 <interface> [domain-name]
148 DHCP client flooder. Use to deplete the IP address pool a DHCP6
149 server is offering. Note: if the pool is very large, this is
150 rather senseless.
151 flood_mld6 <interface>
153 Flood the local network with MLD reports.
154 flood_mld26 <interface>
156 Flood the local network with MLDv2 reports.
157 flood_mldrouter6 <interface>
159 Flood the local network with MLD router advertisements.
160 flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
162 Flood a target with ICMPv6 redirects
163 flood_router6 <interface>
165 Flood the local network with router advertisements.
166 flood_router26 <interface>
168 Similar to flood_router6 but with more options available.
169 flood_rs6 [-sS] interface [target]
171 Flood a network with ICMPv6 router solicitation messages
172 flood_solicitate6 <interface> [target-ip]
174 Flood the network with neighbor solicitations.
175 four2six [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src
177 ipv4-dst [port]
178 Send (spoofed) packets over a 4to6 tunnel (IPv4 packets over
179 IPv6 networks)
180 fragmentation6 <interface> <target-ip>
182 Performs fragment firewall and implementation checks, including
183 denial-of-service.
184 fuzz_ip6 [-x] [-t number | -T number] [-p number] [-IFSDHRJ]
186 [-1|-2|-3|-4|-5|-6|-7] <interface> <unicast-or-multicast-address> [ad‐
187 dress-in-data-pkt]
188 Fuzzes an icmp6 packet.
189 fuzz_dhcps6 [-t number | -T number] [-e number | -T number] [-p number]
191 [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
192 Fuzzes a DHCPv6 server on specified packet types. implementa‐
193 tion6 <interface> <destination> [test-case-number] Performs some
194 ipv6 implementation checks, can be used to test firewalls too.
195 implementation6d <interface>
197 Identifies test packets by the implementation6 tool, useful to
198 check what packets passed a firewall.
199 inject_alive6 [-ap] <interface>
201 This tool answers to keep-alive requests on PPPoE and 6in4 tun‐
202 nels; for PPPoE0t also sends keep-alive requests. Note that the
203 appropriate environment variable THC_IPV6_{PPPOE|6IN4} must be
204 set. Option -a will actively send alive requests every 15 sec‐
205 onds. Option -p will not send replies to alive requests.
206 inverse_lookup6 <interface> <mac-address>
208 Performs an inverse address query, to get the IPv6 addresses
209 that are assigned to a MAC address. Note that only few systems
210 support this yet.
211 kill_router6 <interface> <target-ip>
213 Announce that target router is going down to delete it from the
214 routing tables. If you supply a '*' as target-ip, this tool will
215 sniff the network for RAs and immediately send the kill packet.
216 ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
218 Flood the target /64 network with ICMPv6 TooBig error messages.
219 This tool version is manyfold more effective than ndpexhaust6.
220 -a add a hop-by-hop header with router alert. -c do
221 not calculate the checksum to save time. -p send ICMPv6
222 Echo Requests. -P send ICMPv6 Echo Reply. -T send
223 ICMPv6 Time-to-live-exceeded. -U send ICMPv6 Unreachable
224 (no route). -r randomize the source from your /64 prefix.
225 -R randomize the source fully. -s sourceip6 use this as
226 source ipv6 address.
227 ndpexhaust6 <interface> <target-network>
229 Randomly pings IPs in target network.
230 node_query6 <interface> <target-ip>
232 Sends an ICMPv6 node query request to the target and dumps the
233 replies.
234 parasite6 <interface> [fake-mac]
236 This is an "ARP spoofer" for IPv6, redirecting all local traffic
237 to your own system (or nirvana if fake-mac does not exist) by
238 answering falsely to Neighbor Solicitation requests, specifying
239 FAKE-MAC results in a local DOS.
240 passive_discovery6 <interface> [scriptname]
242 Passively sniffs the network and dump all client's IPv6 ad‐
243 dresses detected. If scriptname is supplied, it is called with
244 the detected IPv6 address as first and the interface as second
245 parameters.
246 randicmp6 <interface> <target-ip>
248 Sends all ICMPv6 type and code combinations to target.
249 redir6 <interface> <src-ip> <target-ip> <original-router> <new-router>
251 [new-router-mac]
252 Implant a route into src-ip, which redirects all traffic to tar‐
253 get-ip to new-ip. You must know the router which would handle
254 the route. If the new-router-mac does not exist, this results
255 in a DOS.
256 redirsniff6 <interface> <victim-ip> <destination-ip> <original-router>
258 [<new-router> [new-router-mac]]
259 Implant a route into victim-ip, which redirects all traffic to
260 destination-ip to new-router. You must know the router which
261 would handle the route. If the new-router and new-router-mac
262 does not exist, this results in a DoS.
263 rsmurf6 <interface> <victim-ip>
265 Smurfs the local network of the victim. Note: this depends on an
266 implementation error, currently only verified on Linux (fixed in
267 current versions). Evil: "ff02::1" as victim will DOS your lo‐
268 cal LAN completely.
269 smurf6 <interface> <victim-ip> [multicast-network-address]
271 Smurf the target with ICMPv6 echo replies. Target of echo re‐
272 quest is the local all-nodes multicast address if not specified.
273 sendpees6 <interface> <key_length> <prefix> <victim-ip>
275 Send SEND neighbor solicitation messages and make target to ver‐
276 ify a lota CGA and RSA signatures.
277 sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
279 Multithreaded version of sendpees6.
280 trace6 [-d] <interface> targetaddress [port]
282 A basic but very fast traceroute6 program.
283 thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
285 Craft your special ICMPv6 echo request packet.
286 thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
288 Flood the target port with TCP-SYN packets. If you supply "x" as
289 port, it is randomized.
290 toobig6 <interface> <target-ip> <existing-ip> <mtu>
292 Implants the specified mtu on the target
293
295 nmap(1), amap(1), dsniff(8).
296
298 thc-ipv6 was written by van Hauser <vh@thc.org> / THC
299 The homepage for this toolkit is: https://github.com/vanhauser-thc/thc-
301 ipv6
302 This manual page was written by Maykel Moya <mmoya@mmoya.org> and Ar‐
304 turo Borrero Gonzalez <arturo@debian.org>, for the Debian project (but
305 may be used by others). It's based on previous work by Michael Gebet‐
306 sroither <gebi@grml.org>.
307Summer 2015 ATTACK-TOOLKIT6 THC-IPv6(8)