Nytro Posted December 27, 2014 Report Posted December 27, 2014 THC-IPV6 Last update 2014-12-27 Current public version: v2.7 For german speaking people: In the german C't magazine 11/13 and the iX IPv6 Kompakt (4/13) are articles on how to use the thc-ipv6 toolkit to comprehensively test IPv6 firewalls. Next Trainings: CanSecWest 2015, Vancouver, 16-17 March 2015, "Professional Pentesting IPv6 Networks" (now bookable) A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library. [0x00] News and Changelog Please note that public versions do not include all tools available! Only those who send in comprehensive patches and new tools for thc-ipv6 get the private versions which are released more often, include unreleased tools and more! If you want to participate, here is a list of tools that would be interesting: * Enhancing the library so it works on FreeBSD and OSX too * Create a tool which tests an ipv6 address if it is an endpoint for various tunnel protocols * Adding more exploit tests to exploit6 (I can supply a long list of exploit files) * Add a dhcp6 client fuzzer If you want to work on a topic on the list, email me, so not multiple people are working on the same tool. Contact: vh(at)thc(dot)org and put "antispam" in the subject line. CHANGELOG: ########## v2.7 - PUBLIC (31C3) * All flood_* tools: - changed destination so that targets can be remote. Yes this should not work, but sometimes it does * New tool: fuzz_dhcpc6 - DHCPv6 client fuzzer, submitted by Darrell Ambro, thanks a lot! * Added new script: six2four.sh - send an IPv6 packet via a 6to4 gateway * Added new script: grep6.pl - extracts an IPv6 in all possible notations from a file (from Eric Vyncke) * alive6: - setting -C twice increases the common address search space significantly - fixed from-to definition implementation - added "-y step" option, to define the step range when performing from-to scans (e.g. 2001:1::0-ff), default step range is of course 1, max is 256 - selects the source IPv6 address for every new target now; waiting, if no fitting IPv6 address is present on the interface until one is - if you use -s for alive scanning, the new "one packet fingerprinting" functionality is automatically used, courtesy of warlord @ nologin from his poison tool - error message if a packet can not be send for >50ms, and waiting for 60 seconds - cleaned up help output and add -hh more help/options output * thcsyn6: - added -m dstmac option (good for DOSing local, esp. hot standby addresses) - added -d dst hdr option - documented -a hbh-ra option * denial6: - added five more test cases with HBH-RA and AH headers * flood_router26 - added -a hopbyhop with router alert option - changed a default so the attacks do not show up in Snort IDS * flood_redir6 - added -a hopbyhop with router alert option * flood_solicitate6 - added query address parameter option - added -a hopbyhop with router alert option * fuzz_ip6: - fixes for HBH and DST EH fuzzing * thcping6: - added -x flood option - added -e ethertype option - added -V IP version option - added -L payload length option - added -N next header option - now prints fragID of fragmented replies * implementation6: - a few more test cases and fixes * dump_dhcp6 - more option decoding, better solicitate packet - added sending information request packet * four2six: - support for source port and ping ID (required for AFTR) * trace6: - support for MTU sizes > 2500 added * implementation6 - fixed to test cases where the wrong fragment nxt header was set (thanks to Gabriel Bertram for reporting) * inverse_lookup6 - fixed to display only the IPv6 addresses (and not interpret other data as such) * thc-ipv6-lib - global addresses are now prefered over unique local if no destination is set - fixed a bug in IPv4 CRC calculation function * cppcheck and Coverity issues checked and fixed * added spelling fixes by Debian maintainers [0x01] Introduction Welcome to the mini website of the THC IPV6 project. This code was inspired when I got into touch with IPv6, learned more and more about it - and then found no tools to play (read: "hack") around with. First I tried to implement things with libnet, but then found out that the ipv6 implementation is only partial - and sucks. I tried to add the missing code, but well, it was not so easy, hence I saved my time and quickly wrote my own library. (That was 2005 though, today libnet and other packet creation libraries have full IPv6 support.) [0x02] Disclaimer 1. This tool is for legal purposes only! 2. The AGPLv3 applies to this code. [0x03] Some Of The Included Tools - parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite) - alive6: an effective alive scanng, which will detect all systems listening to this address - dnsdict6: parallized dns ipv6 dictionary bruteforcer - fake_router6: announce yourself as a router on the network, with the highest priority - redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer - toobig6: mtu decreaser with the same intelligence as redir6 - detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc. - dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS). - trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN - flood_router6: flood a target with random router advertisements - flood_advertise6: flood a target with random neighbor advertisements - exploit6: known ipv6 vulnerabilities to test against a target - denial6: a collection of denial-of-service tests againsts a target - fuzz_ip6: fuzzer for ipv6 - implementation6: performs various implementation checks on ipv6 - implementation6d: listen daemon for implementation6 to check behind a fw - fake_mld6: announce yourself in a multicast group of your choice on the net - fake_mld26: same but for MLDv2 - fake_mldrouter6: fake MLD router messages - fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication - fake_advertiser6: announce yourself on the network - smurf6: local smurfer - rsmurf6: remote smurfer, known to work only against linux at the moment - sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice. - thcping6: sends a hand crafted ping6 packet [and about 30 more tools for you to discover!] [0x04] Installation THC-IPV6 requires libpcap development files being installed, also the libopenssl development files are a good idea. For Debian/Ubunut, you can install them by: $ sudo apt-get install libpcap-dev libssl-dev To compile simply type $ make All tools are installed to /usr/local/bin if you type $ sudo make install [0x05] Documentation THC-IPV6 comes with a rather long README file that describes the details about the usage and library interface. [0x06] Development & Contributions Your contributions are more than welcomed! If you find bugs, coded enhancements or wrote a new attack tool please send them to vh (at) thc (dot) org - and add the word "antispam" to the subject line. [0x07] The Art of Downloading: Source and Binaries The source code of THC-IPV6: thc-ipv6-2.7.tar.gz (Note: Linux only) Comments and suggestions are welcome. Yours sincerly, van Hauser The Hackers Choice http://www.thc.orgSursa: https://www.thc.org/thc-ipv6/ Quote
