Provided by: ipv6toolkit_2.0-1_amd64 
NAME
frag6 - A security assessment tool for IPv6 fragmentation
SYNOPSIS
frag6 [-i INTERFACE] -d DST_ADDR [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-s SRC_ADDR[/LEN]]
[-A HOP_LIMIT] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-P
FRAG_SIZE] [-O FRAG_TYPE] [-o FRAG_OFFSET] [-I FRAG_ID] [-T] [-n] [-p | -W | -X | -F
N_FRAGS] [-l] [-z SECONDS] [-v] [-h]
DESCRIPTION
frag6 is a security assessment tool for attack vectors based on IPv6 fragments. It is part
of the SI6 Networks' IPv6 Toolkit: a security assessment and trouble-shooting suite for
the IPv6 protocols.
OPTIONS
frag6 takes it parameters as command-line options. Each of the options can be specified
with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
a long name (a string preceded with two hyphen characters, as e.g. "--interface").
-i INTERFACE, --interface INTERFACE
This option specifies the network interface that the tool will use. If the
destination address ("-d" option) is a link-local address, the interface must be
explicitly specified. The interface may also be specified along with a destination
address, with the "-d" option.
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets. If left
unspecified, the link-layer Source Address of the packets is set to the real
link-layer address of the network interface.
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
This option specifies the link-layer Destination Address of the probe packets. By
default, the link-layer Destination Address is automatically set to the link-layer
address of the destination host (for on-link destinations) or to the link-layer
address of the first-hop router.
-s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the
Source Address of the outgoing packets. If an IPv6 prefix is specified, the IPv6
Source Address of the outgoing packets will be randomized from that prefix.
-d DST_ADDR, --dst-address DST_ADDR
This option specifies the IPv6 Destination Address of the target node. This option
cannot be left unspecified.
-A HOP_LIMIT, --hop-limit HOP_LIMIT
This option specifies the Hop Limit to be used for the IPv6 packets. By default,
the Hop Limit is randomized.
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
This option specifies that a Destination Options header is to be included in the
outgoing packet(s). The extension header size must be specified as an argument to
this option (the header is filled with padding options). Multiple Destination
Options headers may be specified by means of multiple "-u" options.
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the outgoing packet(s). The header size must be specified
as an argument to this option (the header is filled with padding options). Multiple
Destination Options headers may be specified by means of multiple "-U" options.
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the
outgoing packet(s). The header size must be specified as an argument to this option
(the header is filled with padding options). Multiple Hop-by-Hop Options headers
may be specified by means of multiple "-H" options.
-P FRAG_SIZE, --frag-size FRAG_SIZE
This option specifies the IPv6 fragment payload size.
-O FRAG_TYPE, --frag-type FRAG_TYPE
This option specifies the fragment "type". Possible types are "first", "middle",
"last", and "atomic". If the selected fragment type is "first", the Fragment Offset
is automatically set to 0, and the "M" ("More fragments") bit is set to 1. If the
selected fragment type is "middle", the Fragment Offset is set to a non-zero value,
and the "M" bit is set to 1. If the selected fragment type is "last", the Fragment
Offset is set to a non-zero value, and the "M" bit is set to 0. Finally, if the
selected fragment type is "atomic", the Fragment Offset is set to 0, and the "M"
bit is set to 0.
-o FRAG_OFFSET, --frag-offset FRAG_OFFSET
This option specifies the Fragment Offset. The Fragment Offset specified by means
of this option overrides the value implicitly specified by means of the "-O"
option.
-I FRAG_ID, --frag-id FRAG_ID
This option specifies the fragment "Identification" value. If left unspecified, the
"Identification" value is randomized.
-T, --no-timestamp
When assessing the fragment reassembly policy of a target, the fragment payload
includes a timestamp value that is used to measure the fragment reassembly timeout.
If this option is set, such timestamp will not be included in the payload (and the
tool will not be able to measure the fragment reassembly timeout).
-n, --no-responses
This option instructs the frag6 tool not to display the responses to the fragments
sent. This option is useful when performing a fragmentation-flooding attack, as
multiple response packets (ICMPv6 errors) might be received.
-p, --frag-reass-policy
This option instructs the tool to determine the IPv6 fragment reassembly policy of
the target. In order to determine the aforementioned policy, the tool performs a
number of tests to determine how the target node processes overlapping fragments.
The following figures illustrate the sequence of packets that correspond to each of
the tests.
Test #1
Frag. #1: AAAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Test #2
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Test #3
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Test #4
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCCCCCCCCCCCCCCCCC
Test #5
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Frag. #4: DDDDDDDD
For each of the aforementioned tests, the tool reports which
copy of the data is used by the target host. If there is no
response from the host, the tool informs whether the host
silently dropped the fragments, or sent an ICMPv6 Time
Exceeded error message.
-W, --frag-id-policy
This option instructs the tool to determine the fragment "Identification"
generation policy. The tool sends a number of probe packets to the target node, and
samples the "Identification" values of the corresponding response packets. Based on
the sampled values, it tries to infer the fragment Identification generation policy
of the target.
The tool will first send a number of fragments from single IPv6 address, such that
the per-destination policy is determined. The tool will then send a number of
fragments from random IPv6 addresses (from the same prefix as the first fragments)
such that the "global" fragment Identification generation policy can be inferred.
The tool computes the expected value and the standard deviation of the difference
between consecutive-sampled Identification values (IDn – IDn-1), with the intent of
inferring the fragment Identification algorithm at the target node.
For small values of the standard deviation, the fragment Identification is assumed
to be a monotonically-increasing function with increments of the "expected value".
For large values of the standard deviation, the fragment Identification is assumed
to be randomized, and the expected value and standard deviation are informed to the
user, as indicators of the "quality" of the fragment Identification generation
algorithm.
-X, --pod-attack
This option instructs the tool to perform a "Ping of Death" attack against the
specified target.
-F FRAG_NUMBER, --flood-frags FRAG_NUMBER
This option instructs the tool to send the specified number of fragments back-to-
back to the target node. This option is likely to be used in conjunction with the
"-l" option, such that the process is repeated in a loop.
-l, --loop
This option instructs the frag6 tool to periodically send IPv6 fragments to the
target node. The amount of time to pause between sending a batch of fragments can
be specified by means of the "-z" option, and defaults to 1 second.
-z SECONDS, --sleep SECONDS
This option specifies the amount of time that the tool should pause between sending
btaches of IPv6 fragments (when the "--loop" option is set). If left unspecified,
it defaults to 1 second.
-v, --verbose
This option instructs the frag6 tool to be verbose. If this option is set twice
and the -W option was set, the tool outputs the sampled Fragment Identification
values (in addition to other information).
-h, --help
Print help information for the frag6 tool.
EXAMPLES
The following sections illustrate typical use cases of the frag6 tool.
Example #1
# frag6 --frag-id-policy -d fc00:1::1 -v
Assess the fragment Identification generation policy of the host "fc00:1::1". Be verbose.
Example #2
# frag6 --frag-reass-policy -d fc00:1::1 -v
Assess the fragment reassembly policy of the host "fc00:1::1". Be verbose.
Example #3
# frag6 --frag-type atomic -d fc00:1::1 -v
Send an IPv6 atomic fragment to the host "fc00:1::1". Be verbose.
Example #4
# frag6 -s ::/0 --flood-frags 100 -l -z 5 -d fc00:1::1 -v
Send 100 fragments (every 5 seconds) to the host fc00:1::1, using a forged IPv6 Source
Address from the prefix ::/0. The aforementioned fragments should have an offset of 0, and
the M bit set (i.e., be first-fragments). Be verbose.
AUTHOR
The frag6 tool and the corresponding manual pages were produced by Fernando Gont
<fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.
COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.3 or any later version published by the Free
Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.
FRAG6(1)