Provided by: ipv6toolkit_2.0-1_amd64 
NAME
icmp6 - A security assessment tool for attack vectors based on ICMPv6 packets
SYNOPSIS
icmp6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S LINK_SRC_ADDR] [-D LINK-DST-
ADDR] [-c HOP_LIMIT] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H
HBH_OPT_HDR_SIZE] [-t TYPE[:CODE] | -e CODE | -A CODE -V CODE -R CODE] [-r TARGET_ADDR]
[-x PEER_ADDR] [-c HOP_LIMIT] [-m MTU] [-O POINTER] [-p PAYLOAD_TYPE] [-P PAYLOAD_SIZE]
[-n] [-a SRC_PORTL[:SRC_PORTH]] [-o DST_PORTL[:DST_PORTH]] [-X TCP_FLAGS] [-q TCP_SEQ] [-Q
TCP_ACK] [-V TCP_URP] [-w TCP_WIN] [-M] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR]
[-K LINK_ADDR] [-b PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B LINK_ADDR] [-G LINK_ADDR] [-f] [-L
| -l] [-z] [-v] [-h]
DESCRIPTION
icmp6 allows the assessment of IPv6 implementations with respect to a variety of attack
vectors based on ICMPv6 error messages. It is part of the SI6 Networks' IPv6 Toolkit: a
security assessment suite for the IPv6 Protocols.
This tool has two modes of operation: "active" and "listening". In active mode, the tool
attacks a specific target without listening to any incoming traffic, while in "listening"
mode the tool listens to traffic on the local network, and launches an attack in response
to such traffic. Active mode is employed if an IPv6 Destination Address is specified.
"Listening" mode is employed if the "-L" option (or its long counterpart "--listen") is
set. If both an attack target and the "-L" option are specified, the attack is launched
against the specified target, and then the tool enters "listening" mode to respond
incoming packets with ICMPv6 error messages.
The tool supports filtering of incoming packets based on the Ethernet Source Address, the
Ethernet Destination Address, the IPv6 Source Address, and the IPv6 Destination Address.
There are two types of filters: "block filters" and "accept filters". If any "block
filter" is specified, and the incoming packet matches any of those filters, the message is
discarded (and thus no ICMPv6 error messages are sent in response). If any "accept filter"
is specified, incoming packets must match the specified filters in order for the tool to
respond with ICMPv6 error messages.
OPTIONS
icmp6 takes its parameters as command-line options. Each of the options can be specified
with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
a long name (a string preceded with two hyphen characters, as e.g. "--interface").
The icmp6 tool supports IPv6 fragmentation, which might be of use to circumvent layer-2
filtering and/or Network Intrusion Detection Systems (NIDS). However, IPv6 fragmentation
is not enabled by default, and must be explicitly enabled with the "-y" option.
-i INTERFACE, --interface INTERFACE
This option specifies the network interface that the tool will use. If the
destination address ("-d" option) is a link-local address, or the "listening"
("-L") mode is selected, the interface must be explicitly specified. The interface
may also be specified along with a destination address, with the "-d" option.
-s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the
Source Address of the attack packets. If a prefix is specified, the Source Address
is randomly selected from that prefix. If this option is left unspecified, the IPv6
Source Address of the attack packets is randomly selected from the prefix ::/0.
-d DST_ADDR, --dst-address DST_ADDR
This option specifies the IPv6 Destination Address of the victim. It can be left
unspecified only if the "-L" option is selected (that is, if the tool is to operate
in "listening" mode).
When operating in "listening" mode ("-L" option), the IPv6 Destination Address is
selected according to the IPv6 Source Address of the incoming packet.
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
This option specifies the link-layer Source Address of the attack packets. If left
unspecified, the link-layer Source Address is randomized.
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
This option specifies the link-layer Destination Address of the attack packets. If
left unspecified, it is set to that of the local router (for non-local
destinations) or to that corresponding to the destination host (for local hosts).
When operating in "listening" mode, the link-layer Destination Address is set to
the link-layer Source Address of the incoming packet.
-c HOP_LIMIT, --hop-limit HOP_LIMIT
This option specifies the Hop Limit to be used for the Redirect messages. If this
option is left unspecified, the Hop Limit is randomized to a value between 64 and
243.
-y SIZE, --frag-hdr SIZE
This option specifies that the ICMPv6 error messages must be fragmented. The
fragment size must be specified as an argument to this option.
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
This option specifies that a Destination Options header is to be included in the
outgoing packet(s). The extension header size must be specified as an argument to
this option (the header is filled with padding options). Multiple Destination
Options headers may be specified by means of multiple "-u" options.
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the outgoing packet(s). The header size must be specified
as an argument to this option (the header is filled with padding options). Multiple
Destination Options headers may be specified by means of multiple "-U" options.
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the
outgoing packet(s). The header size must be specified as an argument to this option
(the header is filled with padding options). Multiple Hop-by-Hop Options headers
may be specified by means of multiple "-H" options.
-t TYPE, --icmp6 TYPE
This option specifies the Type and Code of the ICMPv6 error message in the form
"--icmp6 TYPE:CODE". If left unspecified, the ICMPv6 error message defaults to
"Parameter Problem, Erroneous header field encountered" (Type 4, Code 0).
Note: Other options (such as "--icmp6-unreachable") provide an alternative for
setting the ICMPv6 Type and Code.
-e, --icmp6-dest-unreach
This option sets the ICMPv6 Type to "1" (Destination Unreachable), and allows the
user to specify the ICMPv6 Code, in the form "--icmp6-dest-unreach CODE".
Note: this option is an alternative to the "-t" option for setting the ICMPv6 Type
and Code.
-E, --icmp6-packet-too-big
This option sets the ICMPv6 Type to "1", and the ICMPv6 Code to "0" (Packet Too
Big).
Note: this option is an alternative to the "-t" option for setting the ICMPv6 Type
and Code.
-A, --icmp6-time-exceeded
This option sets the ICMPv6 Type to "3" (Time Exceeded), and allows the user to
specify the ICMPv6 Code, in the form "--icmp6-time-exceeded CODE".
Note: this option is an alternative to the "-t" option for setting the ICMPv6 Type
and Code.
-R, --icmp6-param-problem
This option sets the ICMPv6 Type to "4" (Parameter Problem), and allows the user to
specify the ICMPv6 Code, in the form "--icmp6-param-problem CODE".
Note: this option is an alternative to the "-t" option for setting the ICMPv6 Type
and Code.
-m MTU, --mtu MTU
This specifies the value of the "MTU" field of ICMPv6 Packet Too Big error
messages.
-O POINTER, --pointer POINTER
This option specifies the value of the "Pointer" field of ICMPv6 Parameter Problem
error messages.
-p TYPE, --payload-type TYPE
This option specifies the payload type to be included in the ICMPv6 Payload.
Currently supported payloads are "TCP", "UDP", and "ICMP6". The payload-type
defaults to "TCP".
When the tool operates in "Listening" mode, this option specifies the type of
packets the tool will listen to. In listening mode, an additional type can be
specified: "IP6"; this will cause the tool to listen to all IPv6 traffic.
-P SIZE, --payload-size SIZE
Size of the payload to be included in the ICMPv6 Payload (with the payload type
being specified by the "-p" option). By default, as many bytes as possible are
included, without exceeding the minimum IPv6 MTU (1280 bytes).
-n, --no-payload
This option specifies that no payload should be included within the ICMPv6 error
message.
-C HOP_LIMIT, --ipv6-hlim HOP_LIMIT
This option specifies the Hop Limit of the IPv6 packet included in the payload of
the ICMPv6 error message. If this option is left unspecified, the Hop Limit is
randomized to a value between 64 and 243.
-r ADDRESS, --target-addr ADDRESS
This option specifies the Source Address of the IPv6 packet that is embedded in the
ICMPv6 error message. If left unspecified, it is set to the same address as the
IPv6 Destination Address of the outer packet.
When operating in "Listening mode", the tool automatically embeds a piece of the
received packet (unless otherwise specified by the "-n" option), and hence the IPv6
Source Address of the embedded IPv6 packet is set accordingly.
-x ADDRESS, --peer-addr ADDRESS
This option specifies the Destination Address of the IPv6 packet that is embedded
in the ICMPv6 error message. If left unspecified, it is set to a random value.
When operating in "Listening mode", the tool automatically embeds a piece of the
received packet (unless otherwise specified by the "-n" option), and hence the IPv6
Destination Address of the embedded IPv6 packet is set accordingly.
Note: since the victim host is expected to check that the ICMPv6 error message
corresponds to an ongoing communication instance, when operating in "active mode",
this option should be set to a value that corresponds to an ongoing communication
instance.
-o PORT, --target-port PORT
This option specifies the Source Port of the TCP or UDP packet contained in the
ICMPv6 Payload. If a port range is specified in the form "-o LOWPORT:HIGHPORT" the
tool will send one ICMPv6 error message for each port in that range.
Note: This option is meaningful only if "TCP" or "UDP" have been specified (with
the "-p" option).
-a PORT, --peer-port PORT
This option specifies the Destination Port of the TCP or UDP packet contained in
the ICMPv6 Payload. If a port range is specified in the form "-o LOWPORT:HIGHPORT"
the tool will send one ICMPv6 error message for each port in that range.
Note: This option is meaningful only if "TCP" or "UDP" have been specified (with
the "-p" option).
-X TCP_FLAGS, --tcp-flags TCP_FLAGS
This option specifies the flags of the TCP header contained in the ICMPv6 Payload.
The flags are specified as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK),
"U" (URG), "X" (no flags). If left unspecified, only the "ACK" bit is set.
Note: This option is meaningful only if "TCP" has been specified (with the "-p"
option).
-q SEQ_NUMBER, --tcp-seq SEQ_NUMBER
This option specifies the Sequence Number of the TCP header contained in the ICMPv6
Payload. If left unspecified, the Sequence Number is randomized.
Note: This option is meaningful only if "TCP" has been specified (with the "-p"
option).
-Q ACK_NUMBER, --tcp-ack ACK_NUMBER
This option specifies the Acknowledgment Number of the TCP header contained in the
ICMPv6 Payload. If left unspecified, the Acknowledgment Number is randomized.
Note: This option is meaningful only if "TCP" has been specified (with the "-p"
option).
-V URG_POINTER, --tcp-urg URG_POINTER
This option specifies the Urgent Pointer of the TCP header contained in the ICMPv6
Payload. If left unspecified, the Urgent Pointer is set to 0.
Note: This option is meaningful only if "TCP" has been specified (with the "-p"
option).
-w TCP_WIN, --tcp-win TCP_WIN
This option specifies the Window of the TCP header contained in the ICMPv6 Payload.
If left unspecified, the Window is randomized.
Note: This option is meaningful only if "TCP" has been specified (with the "-p"
option).
-j SRC_ADDR, --block-src SRC_ADDR
This option sets a block filter for the incoming packets, based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-j
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-k DST_ADDR, --block-dst DST_ADDR
This option sets a block filter for the incoming Neighbor Solicitation messages,
based on their IPv6 Destination Address. It allows the specification of an IPv6
prefix in the form "-k prefix/prefixlen". If the prefix length is not specified, a
prefix length of "/128" is selected (i.e., the option assumes that a single IPv6
address, rather than an IPv6 prefix, has been specified).
-J SRC_ADDR, --block-link-src SRC_ADDR
This option sets a block filter for the incoming packets, based on their link-layer
Source Address. The option must be followed by a link-layer address (currently,
only Ethernet is supported).
-K DST_ADDR, --block-link-dst DST_ADDR
This option sets a block filter for the incoming packets, based on their link-layer
Destination Address. The option must be followed by a link-layer address
(currently, only Ethernet is supported).
-b SRC_ADDR, --accept-src SRC_ADDR
This option sets an accept filter for the incoming packets, based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-b
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-g DST_ADDR, --accept-dst DST_ADDR
This option sets a accept filter for the incoming packets, based on their IPv6
Destination Address. It allows the specification of an IPv6 prefix in the form "-g
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-B SRC_ADDR, --accept-link-src SRC_ADDR
This option sets an accept filter for the incoming Neighbor Solicitation messages,
based on their link-layer Source Address. The option must be followed by a
link-layer address (currently, only Ethernet is supported).
-G DST_ADDR, --accept-link-dst DST_ADDR
This option sets an accept filter for the incoming packets, based on their
link-layer Destination Address. The option must be followed by a link-layer address
(currently, only Ethernet is supported).
-f, --sanity-filters
This option automatically adds a "block filter" for the IPv6 Source Address of the
packets.
Note: This option may be desirable when the tool operates in "Listening mode" and
is instructed to listen to "ICMP6" or "IP6" packets (thus possibly avoiding packet
loops).
-l, --loop
This option instructs the icmp6 tool to send periodic ICMPv6 error messages to the
victim node. The amount of time to pause between sending ICMPv6 error messages can
be specified by means of the "-z" option, and defaults to 1 second. Note that this
option cannot be set in conjunction with the "-L" ("--listen") option.
-z, --sleep
This option specifies the amount of time to pause between sending ICMPv6 error
messages (when the "--loop" option is set). If left unspecified, it defaults to 1
second.
-L, --listen
This instructs the icmp6 tool to operate in "Listening" mode (possibly after
attacking a given node). Note that this option cannot be used in conjunction with
the "-l" ("--loop") option.
-v, --verbose
This option instructs the icmp6 tool to be verbose. When the option is set twice,
the tool is "very verbose", and the tool also informs which packets have been
accepted or discarded as a result of applying the specified filters.
-h, --help
Print help information for the icmp6 tool.
EXAMPLES
The following sections illustrate typical use cases of the icmp6 tool.
Example #1
# icmp6 -i eth0 -L -p TCP -v
The tool employs the network interface "eth0", and operates in "Listening" mode ("-L"
option). Each ICMPv6 error message will contain the ICMPv6 Payload as many bytes from the
captured packet without exceeding the minimum IPv6 MTU (1280 bytes). The tool will print
detailed information about the attack ("-v" option).
Example #2
# icmp6 --icmp6-packet-too-big -p ICMP6 -d 2001:db8:10::1 --peer-addr 2001:db8:11::2 -m
1240 -v
The tool will send an ICMPv6 Packet Too Big error message that advertises an MTU of 1240
bytes. The ICMPv6 error message will be sent to the address " "2001:db8:10::1". The ICMPv6
error message will embed an ICMPv6 Echo Request message with the Source Address set to
"2001:db8:10::1" (i.e., Destination Address of the error message), and the Destination
Address set to "2001:db8:11::2) ("--peer-addr" option). The value of the "Identifier" and
"Sequence Number" fields of the embedded ICMPv6 Echo Request message will be randomized.
The tool will provide detailed information about the attack ("-v" option).
SEE ALSO
RFC 5927 (available at <http://www.rfc-editor.org/rfc/rfc5927.txt>) and "Security
Assessment of the Transmission Control Protocol (TCP)" (available at
<http://www.si6networks.com/publications/tn-03-09-security-assessment-TCP.pdf>) for a
discussion of ICMPv6 attacks against TCP.
AUTHOR
The icmp6 tool and the corresponding manual pages were produced by Fernando Gont
<fgont@si6networks.com> for SI6 Networks.
COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.3 or any later version published by the Free
Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.
ICMP6(1)