THC-IPV6
Last update 2013-04-24
Current public version: v2.1 (29C3 release)
Next planned release: 4th May 2013, v2.2
For german speaking people: In the german C't magazine 11/13 (available from the 5-13th May)
will be an article on how to use the thc-ipv6 toolkit to comprehensively test IPv6 firewalls.
Next Trainings:
44Con, London, 10-11th September 2013, "Pentesting & Securing IPv6 Networks" (bookable now)
A complete tool set to attack the inherent protocol weaknesses of IPV6
and ICMP6, and includes an easy to use packet factory library.
[0x00] News and Changelog
Please note that public versions do not include all tools available!
Only those who send in comprehensive patches and new tools for thc-ipv6 get the private
versions which are released more often, include unreleased tools and more!
If you want to participate, here is a list of tools that would be interesting:
* Adding raw mode (sending into a sit 6to4 tunnel) to the library (the current implemetation doesnt work)
* Enhancing the library so it works on FreeBSD and OSX too
* Create a tool which tests an ipv6 address if it is an endpoint for various tunnel protocols
* Adding more exploit tests to exploit6 (I can supply a long list of exploit files)
* Adding more denial of service tests to denial6
* Add a dhcp6 client fuzzer
* Add a dhcp6 server fuzzer
If you want to work on a topic on the list, email me, so not multiple people are working on the same tool.
Contact: vh(at)thc(dot)org and put "antispam" in the subject line.
CHANGELOG:
##########
v2.1 - PUBLIC
* added new tool: dnssecwalk - performs NSEC walking including Iv6+IPv4 resolving
* added new tool: firewall6 - various TCP/UDP ACL bypass test cases
* added new tool: fake_pim6 - send fake hello and join/prune pim messages
* added new tool: ndpexhaust26 - very performant ndp exhauster based on ICMP error toobig messages but can send many types of packets
* alive6: ranges are now supported in the input file too
* parasite6: enhancements to make it way more effective
* fake_router26: added overlap RA guard evasion type (-E o, -E O)
* dos-new-ip6: fix that only DAD replies are sent, not full NDP spoofing :-) (thanks to Johannes Weber for reporting)
* flood_router26: Added local LAN privacy extension prevention attack by George Kargiotakis
* randicmp6:
- added function which dumps icmp answers received
- added funtionality to send a specific type (and also code)
* dnsdict6: added SRV result address resolving
* trace6: fix for routers which add padding to the packets
* fuzz_ip6: added -X option for not sending a transport layer
* inject_alive6: added -a option to allow selective active alive sending
* fake_advertise6: when no srcmac was specified, it was sent as all zeroes instead of the real mac (thanks to Jannes Weber for reporting)
* fixed various injection issues (mostly too large packets for MTU on interface)
* thc-ipv6-lib: added function thc_send_as_overlapping_{first,last}_fragment6
* Added GPL exception clause to license to allow linking to OpenSSL - debian people need this
* Makefile: added patch from gentoo maintainers
[0x01] Introduction
Welcome to the mini website of the THC IPV6 project.
This code was inspired when I got into touch with IPv6, learned more and
more about it - and then found no tools to play (read: "hack") around with.
First I tried to implement things with libnet, but then found out that
the ipv6 implementation is only partial - and sucks. I tried to add the
missing code, but well, it was not so easy, hence I saved my time and
quickly wrote my own library. (That was 2005 though, today libnet and
other packet creation libraries have full IPv6 support.)
[0x02] Disclaimer
1. This tool is for legal purposes only!
2. The GPLv3 applies to this code.
[0x03] Some Of The Included Tools
- parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
- alive6: an effective alive scanng, which will detect all systems listening to this address
- dnsdict6: parallized dns ipv6 dictionary bruteforcer
- fake_router6: announce yourself as a router on the network, with the highest priority
- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
- toobig6: mtu decreaser with the same intelligence as redir6
- detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
- flood_router6: flood a target with random router advertisements
- flood_advertise6: flood a target with random neighbor advertisements
- exploit6: known ipv6 vulnerabilities to test against a target
- denial6: a collection of denial-of-service tests againsts a target
- fuzz_ip6: fuzzer for ipv6
- implementation6: performs various implementation checks on ipv6
- implementation6d: listen daemon for implementation6 to check behind a fw
- fake_mld6: announce yourself in a multicast group of your choice on the net
- fake_mld26: same but for MLDv2
- fake_mldrouter6: fake MLD router messages
- fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
- fake_advertiser6: announce yourself on the network
- smurf6: local smurfer
- rsmurf6: remote smurfer, known to work only against linux at the moment
- sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
- thcping6: sends a hand crafted ping6 packet
[and about 25 more tools for you to discover]
[0x04] Documentation
THC-IPV6 comes with a rather long README file that describes the
details about the usage and library interface.
[0x05] Development & Contributions
Your contributions are more than welcomed!
If you find bugs, coded enhancements or wrote a new attack tool
please send them to vh (at) thc (dot) org - and add the word "antispam"
to the subject line.
[0x06] The Art of Downloading: Source and Binaries
The source code of THC-IPV6: thc-ipv6-2.1.tar.gz
(Note: Linux only)
Comments and suggestions are welcome.
Yours sincerly,
van Hauser
The Hackers Choice
http://www.thc.org
THC-IPV6
Last update 2006-10-24
A complete tool set to attack the inherent protocol weaknesses of IPV6
and ICMP6, and includes an easy to use packet factory library.
Download the current version here:
thc-ipv6-0.6.tar.gz
thc-ipv6-0.7.tar.gz
thc-ipv6-1.2.tar.gz
thc-ipv6-1.6.tar.gz
thc-ipv6-2.1.tar.gz
Thanks a lot to all those conference organizers to make it possible for me
show my presentation all over the world:
* Pacsec, Tokyo, November 2005
* CCC Congress, Berlin, December 2005
* EuSecWest, London, February 2006
* CanSecWest, Vancouver, April 2006
* Hack in the Box, Kuala Lumpur, September 2006
* Hack LU, Luxembourg, October 2006
And here is - finally - the complete presentation for downloading: vh_thc-ipv6_attack.pdf
Have fun!
[0x00] News and Changelog
CHANGELOG for 0.7:
###########
* Added sendpees6.c and a patch from willdamn(ad)gmail.com - thanks a lot!
This is the 2nd public version, released during HITB 2006
Have fun!
[0x01] Introduction
Welcome to the mini website of the THC IPV6 project.
This code was inspired when I got into touch with IPv6, learned more and
more about it - and then found no tools to play (read: "hack") around with.
First I tried to implement things with libnet, but then found out that
the ipv6 implementation is only partial - and sucks. I tried to add the
missing code, but well, it was not so easy, hence I saved my time and
quickly wrote my own library.
[0x02] Disclaimer
1. This tool is for legal purposes only!
4. The GPL 3.0 applies to this code.
[0x03] The Included Tools
- parasite6: icmp neighbor solitication/advertisement spoofer, puts you
as man-in-the-middle, same as ARP mitm (and parasite)
- alive6: an effective alive scanng, which will detect all systems
listening to this address
- fake_router6: announce yourself as a router on the network, with the
highest priority
- redir6: redirect traffic to you intelligently (man-in-the-middle) with
a clever icmp6 redirect spoofer
- toobig6: mtu decreaser with the same intelligence as redir6
- detect-new-ip6: detect new ip6 devices which join the network, you can
run a script to automatically scan these systems etc.
- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP
collides on the network (DOS).
- fake_mld6: announce yourself in a multicast group of your choice on the net
- fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
- fake_advertiser6: announce yourself on the network
- smurf6: local smurfer
- rsmurf6: remote smurfer, known to work only against linux at the moment
- sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor
solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
[0x04] Documentation
THC-IPV6 comes with a rather long README file that describes the
details about the usage and library interface.
[0x05] Development & Contributions
Your contributions are more than welcomed!
If you find bugs, coded enhancements or wrote a new attack tool
please send them to vh (at) thc (dot) org
[0x06] The Art of Downloading: Source and Binaries
The source code of IPV6: thc-ipv6-0.7.tar.gz
(Note: it is for Linux 2.6, IA32 only!)
Comments and suggestions are welcome.
Yours sincerly,
van Hauser
The Hackers Choice
http://www.thc.org