THC-IPV6
THC-IPV6 Package Description
A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.
Source: https://www.thc.org/thc-ipv6/
|
- Author: The Hacker’s Choice
- License: AGPLv3
Tools included in the thc-ipv6 package
6to4test.sh – Tests if the IPv4 target has a dynamic 6to4 tunnel active
Syntax: /usr/bin/6to4test.sh interface ipv4address
This little script tests if the IPv4 target has a dynamic 6to4 tunnel active
Requires address6 and thcping6 from thc-ipv6
address6 – Converts a mac or ipv4 address to an ipv6 address
address6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax:
address6 mac-address [ipv6-prefix]
address6 ipv4-address [ipv6-prefix]
address6 ipv6-address
Converts a mac or ipv4 address to an ipv6 address (link local if no prefix is
given as 2nd option) or, when given an ipv6 address, prints the mac or ipv4
address. Prints all possible variations. Returns -1 on errors or the number of
variations found
alive6 – Shows alive addresses in the segment
alive6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: alive6 [-I srcip6] [-i file] [-o file] [-DM] [-p] [-F] [-e opt] [-s port,..] [-a port,..] [-u port,..] [-W TIME] [-dlrvS] interface [unicast-or-multicast-address [remote-router]]
Shows alive addresses in the segment. If you specify a remote router, the
packets are sent with a routing header prefixed by fragmentation
Options:
-i file check systems from input file
-o file write results to output file
-M enumerate hardware addresses (MAC) from input addresses (slow!)
-D enumerate DHCP address space from input addresses
-p send a ping packet for alive check (default)
-e dst,hop send an errornous packets: destination (default), hop-by-hop
-s port,port,.. TCP-SYN packet to ports for alive check
-a port,port,.. TCP-ACK packet to ports for alive check
-u port,port,.. UDP packet to ports for alive check
-d DNS resolve alive ipv6 addresses
-n number how often to send each packet (default: local 1, remote 2)
-W time time in ms to wait after sending a packet (default: 1)
-S slow mode, get best router for each remote target or when proxy-NA
-I srcip6 use the specified IPv6 address as source
-l use link-local address instead of global address
-v verbose (twice: detailed information, thrice: dumping all packets)
Target address on command line or in input file can include ranges in the form
of 2001:db8::1-fff or 2001:db8::1-2:0-ffff:0:0-ffff, etc.
Returns -1 on errors, 0 if a system was found alive or 1 if nothing was found.
covert_send6 – Sends the content of FILE covertly to the target
covert_send6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: covert_send6 [-m mtu] [-k key] [-s resend] interface target file [port]
Options:
-m mtu specifies the maximum MTU (default: interface MTU, min: 1000)
-k key encrypt the content with Blowfish-160
-s resend send each packet RESEND number of times, default: 1
Sends the content of FILE covertly to the target, And its POC – dont except
too much sophistication – its just put into the destination header.
covert_send6d – Writes covertly received content to FILE
covert_send6d v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: covert_send6d [-k key] interface file
Options:
-k key decrypt the content with Blowfish-160
Writes covertly received content to FILE.
denial6 – Performs various denial of service attacks on a target
denial6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: denial6 interface destination test-case-number
Performs various denial of service attacks on a target
If a system is vulnerable, it can crash or be under heavy load, so be careful!
If not test-case-number is supplied, the list of shown.
detect-new-ip6 – This tools detects new ipv6 addresses joining the local network
detect-new-ip6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: detect-new-ip6 interface [script]
This tools detects new ipv6 addresses joining the local network.
If script is supplied, it is executed with the detected IPv6 address as first
and the interface as second command line option.
detect_sniffer6 – Tests if systems on the local LAN are sniffing
detect_sniffer6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: detect_sniffer6 interface [target6]
Tests if systems on the local LAN are sniffing.
Works against Windows, Linux, OS/X and *BSD
If no target is given, the link-local-all-nodes address is used, which
however rarely works.
dnsdict6 – Enumerates a domain for DNS entries
dnsdict6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: dnsdict6 [-d46] [-s|-m|-l|-x] [-t THREADS] [-D] domain [dictionary-file]
Enumerates a domain for DNS entries, it uses a dictionary file if supplied
or a built-in list otherwise. This tool is based on dnsmap by gnucitizen.org.
Options:
-4 also dump IPv4 addresses
-t NO specify the number of threads to use (default: 8, max: 32).
-D dump the selected built-in wordlist, no scanning.
-d display IPv6 information on NS and MX DNS domain information.
-S perform SRV service name guessing
-[smlx] choose the dictionary size by -s(mall=50), -m(edium=796) (DEFAULT)
-l(arge=1416), or -x(treme=3211)
dnsrevenum6 – Performs a fast reverse DNS enumeration and is able to cope with slow servers
dnsrevenum6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: dnsrevenum6 dns-server ipv6address
Performs a fast reverse DNS enumeration and is able to cope with slow servers.
Examples:
dnsrevenum6 dns.test.com 2001:db8:42a8::/48
dnsrevenum6 dns.test.com 8.a.2.4.8.b.d.0.1.0.0.2.ip6.arpa
dnssecwalk – Perform DNSSEC NSEC walking
dnssecwalk v1.2 (c) 2013 by Marc Heuse <[email protected]> http://www.mh-sec.de
Syntax: dnssecwalk [-e46] dns-server domain
Options:
-e ensure that the domain is present in found addresses, quit otherwise
-4 resolve found entries to IPv4 addresses
-6 resolve found entries to IPv6 addresses
Perform DNSSEC NSEC walking.
Example: dnssecwalk dns.test.com test.com
dos_mld.sh – If specified, the multicast address of the target will be dropped first
Syntax: /usr/bin/dos_mld.sh [-2] interface [target-link-local-address multicast-address]
If specified, the multicast address of the target will be dropped first.
All multicast traffic will cease after a while.
Specify -2 to use MLDv2.
dos-new-ip6 – This tools prevents new ipv6 interfaces to come up
dos-new-ip6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: dos-new-ip6 interface
This tools prevents new ipv6 interfaces to come up, by sending answers to
duplicate ip6 checks (DAD). This results in a DOS for new ipv6 devices.
dump_router6 – Dumps all local routers and their information
dump_router6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: dump_router6 interface
Dumps all local routers and their information
exploit6 – Performs exploits of various CVE known IPv6 vulnerabilities on the destination
exploit6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: exploit6 interface destination [test-case-number]
Performs exploits of various CVE known IPv6 vulnerabilities on the destination
Note that for exploitable overflows only ‘AAA…’ strings are used.
If a system is vulnerable, it will crash, so be careful!
extract_hosts6.sh – prints the host parts of IPv6 addresses in FILE
/usr/bin/extract_hosts6.sh FILE
prints the host parts of IPv6 addresses in FILE
extract_networks6.sh – prints the networks found in FILE
/usr/bin/extract_networks6.sh FILE
prints the networks found in FILE
fake_advertise6 – Advertise ipv6 address on the network
fake_advertise6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_advertise6 [-DHF] [-Ors] [-n count] [-w seconds] interface ip-address-advertised [target-address [mac-address-advertised [source-ip-address]]]
Advertise ipv6 address on the network (with own mac if not specified),
sending it to the all-nodes multicast address if no target address is set.
Source ip addresss is the address advertised if not set.
Sending options:
-n count send how many packets (default: forever)
-w seconds wait time between the packets sent (default: 5)
Flag options:
-O do NOT set the override flag (default: on)
-r DO set the router flag (default: off)
-s DO set the solicitate flag (default: off)
ND Security evasion options (can be combined):
-H add a hop-by-hop header
-F add a one shot fragment header (can be specified multiple times)
-D add a large destination header which fragments the packet.
fake_dhcps6 – Fake DHCPv6 server
fake_dhcps6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_dhcps6 interface network-address/prefix-length dns-server [dhcp-server-ip-address [mac-address]]
Fake DHCPv6 server. Use to configure an address and set a DNS server
fake_dns6d – Fake DNS server that serves the same ipv6 address to any lookup request
fake_dns6d v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_dns6d interface ipv6-address [fake-ipv6-address [fake-mac]]
Fake DNS server that serves the same ipv6 address to any lookup request
You can use this together with parasite6 if clients have a fixed DNS server
Note: very simple server. Does not honor multiple queries in a packet, norNS, MX, etc. lookups.
fake_dnsupdate6 – Fake DNS updater
fake_dnsupdate6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_dnsupdate6 dns-server full-qualified-host-dns-name ipv6address
Example: fake_dnsupdate6 dns.test.com myhost.sub.test.com ::1
fake_mipv6 – Will redirect all packets for home-address to care-of-address
fake_mipv6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_mipv6 interface home-address home-agent-address care-of-address
If the mobile IPv6 home-agent is mis-configured to accept MIPV6 updates without
IPSEC, this will redirect all packets for home-address to care-of-address
fake_mld26
fake_mld26 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_mld26 [-l] interface add|delete|query [multicast-address [target-address [ttl [own-ip [own-mac-address [destination-mac-address]]]]]]
This uses the MLDv2 protocol. Only a subset of what the protocol is able to
do is possible to implement via a command line. Code it if you need something.
Ad(d)vertise or delete yourself – or anyone you want – in a multicast group of your choice
Query ask on the network who is listening to multicast addresses
Use -l to loop and send (in 5s intervals) until Control-C is pressed.
fake_mld6 – Ad(d)vertise or delete yourself – or anyone you want
[email protected]:~# fake_mld6
fake_mld6 v2.3 (c) 2013 by van Hauser / THC <[email protected]> www.thc.org
Syntax: fake_mld6 [-l] interface add|delete|query [multicast-address [target-address [ttl [own-ip [own-mac-address [destination-mac-address]]]]]]
Ad(d)vertise or delete yourself – or anyone you want – in a multicast group of your choice
Query ask on the network who is listening to multicast addresses
Use -l to loop and send (in 5s intervals) until Control-C is
Recent Comments