THC-IPV6

 Last update 2015-04-19
 Current public version: v2.7


 For german speaking people: In the german C't magazine 11/13 and the iX IPv6 Kompakt (4/13)
 are articles on how to use the thc-ipv6 toolkit to comprehensively test IPv6 firewalls.
 
 Next Trainings:
    Hack in the Box 2015, Amsterdam, 26-27 May 2015, "Professional Pentesting IPv6 Networks" (now bookable)
    GSEC 2015, Singapore, 12-13 October 2015, "Professional Pentesting IPv6 Networks" (now bookable)
 


 A complete tool set to attack the inherent protocol weaknesses of IPV6
 and ICMP6, and includes an easy to use packet factory library.


 [0x00] News and Changelog
 
        Please note that public versions do not include all tools available!
        Only those who send in comprehensive patches and new tools for thc-ipv6 get the private
        versions which are released more often, include unreleased tools and more!

	If you want to participate, here is a list of tools that would be interesting:
	  * Enhancing the library so it works on FreeBSD and OSX too
	  * Create a tool which tests an ipv6 address if it is an endpoint for various tunnel protocols
	  * Adding more exploit tests to exploit6 (I can supply a long list of exploit files)
	  * Add a dhcp6 client fuzzer
	If you want to work on a topic on the list, email me, so not multiple people are working on the same tool.
	Contact: vh(at)thc(dot)org and put "antispam" in the subject line.


	CHANGELOG:
	##########

        v2.7 - PUBLIC (31C3)
        * All flood_* tools:
          - changed destination so that targets can be remote.
            Yes this should not work, but sometimes it does :-)
        * New tool: fuzz_dhcpc6 - DHCPv6 client fuzzer, submitted by Darrell Ambro, thanks a lot!
        * Added new script: six2four.sh - send an IPv6 packet via a 6to4 gateway
        * Added new script: grep6.pl - extracts an IPv6 in all possible notations from a file (from Eric Vyncke)
        * alive6:
          - setting -C twice increases the common address search space significantly
          - fixed from-to definition implementation
          - added "-y step" option, to define the step range when performing from-to
            scans (e.g. 2001:1::0-ff), default step range is of course 1, max is 256
          - selects the source IPv6 address for every new target now; waiting, if no
            fitting IPv6 address is present on the interface until one is
          - if you use -s for alive scanning, the new "one packet fingerprinting" functionality
            is automatically used, courtesy of warlord @ nologin from his poison tool
          - error message if a packet can not be send for >50ms, and waiting for 60 seconds
          - cleaned up help output and add -hh more help/options output
        * thcsyn6:
          - added -m dstmac option (good for DOSing local, esp. hot standby addresses)
          - added -d dst hdr option
          - documented -a hbh-ra option
        * denial6:
          - added five more test cases with HBH-RA and AH headers
        * flood_router26
          - added -a hopbyhop with router alert option
          - changed a default so the attacks do not show up in Snort IDS
        * flood_redir6
          - added -a hopbyhop with router alert option
        * flood_solicitate6
          - added query address parameter option
          - added -a hopbyhop with router alert option
        * fuzz_ip6:
          - fixes for HBH and DST EH fuzzing
        * thcping6:
          - added -x flood option
          - added -e ethertype option
          - added -V IP version option
          - added -L payload length option
          - added -N next header option
          - now prints fragID of fragmented replies
        * implementation6:
          - a few more test cases and fixes
        * dump_dhcp6
          - more option decoding, better solicitate packet
          - added sending information request packet
        * four2six:
          - support for source port and ping ID (required for AFTR)
        * trace6:
          - support for MTU sizes > 2500 added
        * implementation6
          - fixed to test cases where the wrong fragment nxt header was set (thanks to Gabriel Bertram for reporting)
        * inverse_lookup6
          - fixed to display only the IPv6 addresses (and not interpret other data as such)
        * thc-ipv6-lib
          - global addresses are now prefered over unique local if no destination is set
          - fixed a bug in IPv4 CRC calculation function
        * cppcheck and Coverity issues checked and fixed
        * added spelling fixes by Debian maintainers


 [0x01] Introduction
 	Welcome to the mini website of the THC IPV6 project.

	This code was inspired when I got into touch with IPv6, learned more and
	more about it - and then found no tools to play (read: "hack") around with.
	First I tried to implement things with libnet, but then found out that
	the ipv6 implementation is only partial - and sucks. I tried to add the
	missing code, but well, it was not so easy, hence I saved my time and
	quickly wrote my own library. (That was 2005 though, today libnet and
	other packet creation libraries have full IPv6 support.)


 [0x02] Disclaimer

	1. This tool is for legal purposes only!
	2. The AGPLv3 applies to this code.


 [0x03] Some Of The Included Tools
	- parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
	- alive6: an effective alive scanng, which will detect all systems listening to this address
	- dnsdict6: parallized dns ipv6 dictionary bruteforcer
	- fake_router6: announce yourself as a router on the network, with the highest priority
	- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
	- toobig6: mtu decreaser with the same intelligence as redir6
	- detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
	- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
	- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
	- flood_router6: flood a target with random router advertisements
	- flood_advertise6: flood a target with random neighbor advertisements
	- exploit6: known ipv6 vulnerabilities to test against a target
	- denial6: a collection of denial-of-service tests againsts a target
	- fuzz_ip6: fuzzer for ipv6
	- implementation6: performs various implementation checks on ipv6
	- implementation6d: listen daemon for implementation6 to check behind a fw
	- fake_mld6: announce yourself in a multicast group of your choice on the net
	- fake_mld26: same but for MLDv2
	- fake_mldrouter6: fake MLD router messages
	- fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
	- fake_advertiser6: announce yourself on the network
	- smurf6: local smurfer
	- rsmurf6: remote smurfer, known to work only against linux at the moment
	- sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
        - thcping6: sends a hand crafted ping6 packet
        [and about 30 more tools for you to discover!]


 [0x04] Installation 
 
	THC-IPV6 requires libpcap development files being installed, also the 
	libopenssl development files are a good idea.
	For Debian/Ubunut, you can install them by:
	  $ sudo apt-get install libpcap-dev libssl-dev

        To compile simply type
          $ make
          
        All tools are installed to /usr/local/bin if you type
          $ sudo make install


 [0x05] Documentation 
 
	THC-IPV6 comes with a rather long README file that describes the
	details about the usage and library interface.


 [0x06] Development & Contributions

	Your contributions are more than welcomed!
	
	If you find bugs, coded enhancements or wrote a new attack tool
	please send them to vh (at) thc (dot) org - and add the word "antispam"
	to the subject line.


 [0x07] The Art of Downloading: Source and Binaries
 

	The source code of THC-IPV6: thc-ipv6-2.7.tar.gz
	(Note: Linux only)


 Comments and suggestions are welcome.

 Yours sincerly,

 van Hauser
 The Hackers Choice
 http://www.thc.org