THC-IPV6

 Last update 2014-03-19
 Current public version: v2.5


 For german speaking people: In the german C't magazine 11/13 and the iX IPv6 Kompakt (4/13)
 are articles on how to use the thc-ipv6 toolkit to comprehensively test IPv6 firewalls.
 
 Next Trainings:
    Hack in the Box AMS 2014, Amsterdam, 27-28 May 2014, "Pentesting & Securing IPv6 Networks" (bookable now)
    CanSecWest 2015, Vancouver, 16-17 March 2015, "Pentesting & Securing IPv6 Networks" (far away in the future :-) )
 


 A complete tool set to attack the inherent protocol weaknesses of IPV6
 and ICMP6, and includes an easy to use packet factory library.


 [0x00] News and Changelog
 
        Please note that public versions do not include all tools available!
        Only those who send in comprehensive patches and new tools for thc-ipv6 get the private
        versions which are released more often, include unreleased tools and more!

	If you want to participate, here is a list of tools that would be interesting:
	  * Enhancing the library so it works on FreeBSD and OSX too
	  * Create a tool which tests an ipv6 address if it is an endpoint for various tunnel protocols
	  * Adding more exploit tests to exploit6 (I can supply a long list of exploit files)
	  * Add a dhcp6 client fuzzer
	If you want to work on a topic on the list, email me, so not multiple people are working on the same tool.
	Contact: vh(at)thc(dot)org and put "antispam" in the subject line.


	CHANGELOG:
	##########

        v2.5 - PUBLIC
         * Moved the license from GPLv3 to AGPLv3 (see LICENSE file)
         * Support for big endian processors added
         * Added new tool: flood_dhcps6 - DHCPv6 server fuzzer. Submitted by Brandon
           Hutcheson and Graeme Neilson - great job, thanks!
         * Added new tool: flood_redir6 - flooding with ICMPv6 redirects
         * Added new tool: flood_rs6 - flooding with ICMPv6 Router Soliciations
         * Added new tool: four2six - send an IPv4 packet via a 4to6 gateway
         * Added new tool: dump_dhcp6 - show all DHCP6 servers and their config
         * Added new script: six2four.sh - send an IPv6 packet via a 6to4 gateway
         * All flooding tools:
           - support now a specific target instead of all local nodes
           - printing a dot for each 1000 packets sent (before: 100)
         * alive6:
           - renamed option -D to -C (common address scan), -D still works too
           - added -4 IPv6address/range option
           - added -H option to print the hop count value of received packets
           - added -L option to only report local alive systems
           - added -P option to only print addresses that would be scanned, but no scanning
           - added -R option to not consider TCP-RST packets as alive signals
           - NDP alives now also get their MAC addresses printed
           - reworked help output, simple help screen with no option, full help with -h parameter
           - clarified that ranges (from-to) should not be used together with -D -M or -4
           - -W option waited for micro not milliseconds, fixed
         * flood_router26
           - added -S slow start option which makes the flooding a bit more effective
           - added -G gigantic packet option (64kb, fragmented)
           - increased number of route/prefix entries in normal (non -G option) packets
           - rewrote the help screen
         * thcsyn6:
           - changed to also allow syn flooding on link local
         * parasite6:
           - added ROUTER flag to all packets to prevent being removed from the routing list
         * trace6:
           - added -u UDP switch
           - fixed bug that showed targets sometimes too far away
           - fixed -E option
           - fixed millisecond printing
         * thcping6:
           - added -n count switch
           - added -T icmptype and -C icmpcode options
           - rewrote help output, added -h extra output, minimal otherwise
         * dnsdict6:
           - enhanced and updated the dictionaries
           - added additonal "u"ber large dictionary with -u option
         * fragmentation6:
           - added multi-level-fragment tests
           - no screen flooding in flooding mode anymore
         * fake_solicitate6
           - src address is now by default the own link-local address unless specified different
         * firewall6:
           - added -H option to show hop count of pkts received
         * randicmp6:
           - added -p option which will not print replies and not wait (good for flooding tests)
         * thc-ipv6-lib:
           - added thc_add_ipv4_rudimentary function needed for the new four2six tool,
             so far only ICMPv4 ping and UDP is supported.
           - renamed thc_create_ipv6 to thc_create_ipv6_extended, and added a simpler
             thc_create_ipv6 function
           - 801.q VLAN IDs can now have the proper range of up to 4095
           - injection sniffing - some tcpdump seem not to be able to sniff on ether proto
         * massive error checking and compiler warnings eliminated
         * Incorporated Debian maintainer patches: man page additions and spelling fixes


 [0x01] Introduction
 	Welcome to the mini website of the THC IPV6 project.

	This code was inspired when I got into touch with IPv6, learned more and
	more about it - and then found no tools to play (read: "hack") around with.
	First I tried to implement things with libnet, but then found out that
	the ipv6 implementation is only partial - and sucks. I tried to add the
	missing code, but well, it was not so easy, hence I saved my time and
	quickly wrote my own library. (That was 2005 though, today libnet and
	other packet creation libraries have full IPv6 support.)


 [0x02] Disclaimer

	1. This tool is for legal purposes only!
	2. The AGPLv3 applies to this code.


 [0x03] Some Of The Included Tools
	- parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
	- alive6: an effective alive scanng, which will detect all systems listening to this address
	- dnsdict6: parallized dns ipv6 dictionary bruteforcer
	- fake_router6: announce yourself as a router on the network, with the highest priority
	- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
	- toobig6: mtu decreaser with the same intelligence as redir6
	- detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
	- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
	- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
	- flood_router6: flood a target with random router advertisements
	- flood_advertise6: flood a target with random neighbor advertisements
	- exploit6: known ipv6 vulnerabilities to test against a target
	- denial6: a collection of denial-of-service tests againsts a target
	- fuzz_ip6: fuzzer for ipv6
	- implementation6: performs various implementation checks on ipv6
	- implementation6d: listen daemon for implementation6 to check behind a fw
	- fake_mld6: announce yourself in a multicast group of your choice on the net
	- fake_mld26: same but for MLDv2
	- fake_mldrouter6: fake MLD router messages
	- fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
	- fake_advertiser6: announce yourself on the network
	- smurf6: local smurfer
	- rsmurf6: remote smurfer, known to work only against linux at the moment
	- sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
        - thcping6: sends a hand crafted ping6 packet
        [and about 30 more tools for you to discover!]


 [0x04] Installation 
 
	THC-IPV6 requires libpcap development files being installed, also the 
	libopenssl development files are a good idea.
	For Debian/Ubunut, you can install them by:
	  $ sudo apt-get install libpcap-dev libssl-dev

        To compile simply type
          $ make
          
        All tools are installed to /usr/local/bin if you type
          $ sudo make install


 [0x05] Documentation 
 
	THC-IPV6 comes with a rather long README file that describes the
	details about the usage and library interface.


 [0x06] Development & Contributions

	Your contributions are more than welcomed!
	
	If you find bugs, coded enhancements or wrote a new attack tool
	please send them to vh (at) thc (dot) org - and add the word "antispam"
	to the subject line.


 [0x07] The Art of Downloading: Source and Binaries
 

	The source code of THC-IPV6: thc-ipv6-2.5.tar.gz
	(Note: Linux only)


 Comments and suggestions are welcome.

 Yours sincerly,

 van Hauser
 The Hackers Choice
 http://www.thc.org