Provided by: ipv6toolkit_2.0-1_amd64 bug

NAME

       tcp6 - A security assessment tool for TCP/IPv6 implementations

SYNOPSIS

       tcp6  -i INTERFACE [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-s SRC_ADDR[/LEN]] [-d DST_ADDR]
       [-A  HOP_LIMIT]  [-y  FRAG_SIZE]  [-u  DST_OPT_HDR_SIZE]   [-U   DST_OPT_U_HDR_SIZE]   [-H
       HBH_OPT_HDR_SIZE]  [-c  OPEN_TYPE]  [-C  CLOSE_TYPE]  [-P  PAYLOAD_SIZE] [-o SRC_PORT] [-a
       DST_PORT] [-X  TCP_FLAGS]  [-q  TCP_SEQ]  [-Q  TCP_ACK]  [-V  TCP_URP]  [-w  TCP_WIN]  [-W
       WINDOW_MODE] [-M WIN_MOD_MODE] [-Z DATA] [-N] [-n] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J
       LINK_ADDR]  [-K  LINK_ADDR]  [-b  PREFIX[/LEN]]  [-g  PREFIX[/LEN]]  [-B  LINK_ADDR]   [-G
       LINK_ADDR]  [-F  N_SOURCES]  [-T N_PORTS] [-f] [-R] [-L] [-l] [-p PROBE_MODE] [-z SECONDS]
       [-r RATE] [-v] [-h]

DESCRIPTION

       tcp6 tool allows the assessment of IPv6 implementations  with  respect  to  a  variety  of
       attack  vectors  based  on  TCP/IPv6 segments. This tool is part of the SI6 Networks' IPv6
       Toolkit: a security assessment suite for the IPv6 protocols.

       tcp6 can be employed to perform  specific  TCP  connection-establishment  and  connection-
       termination  sequences.  For  example,  it can be employed to simulate a TCP "simultaneous
       open" scenario (see the "--open-mode" option) or to simulate a  TCP  "simultaneous  close"
       scenario  (see  the  "--close-mode"  option).  It  can  be employed to perform a number of
       resource-exhaustion attacks against TCP, such as SYN-flooding attacks, connection-flooding
       attacks (see the "--flood-sources" and "--flood-ports" options), etc. Additionally, it can
       be employed to exploit attack vectors based on the TCP window (see the "--window" option).

       tcp6 tool has two modes of operation: active and  listening.  In  active  mode,  the  tool
       attacks  a specific target, while in listening mode the tool listens to TCP traffic on the
       local network, and launches an attack in response to such traffic. Active mode is employed
       if an IPv6 Destination Address is specified. Listening mode is employed if the "-L" option
       (or its long counterpart "--listen") is set. If both an attack target and the "-L"  option
       are  specified,  the  attack  is  launched against the specified target, and then the tool
       enters listening mode to respond incoming packets with TCP segments.

       tcp6 supports filtering of incoming packets based on  the  Ethernet  Source  Address,  the
       Ethernet  Destination  Address, the IPv6 Source Address, and the IPv6 Destination Address.
       There are two types of filters: "block  filters"  and  "accept  filters".  If  any  "block
       filter" is specified, and the incoming packet matches any of those filters, the message is
       discarded (and thus no TCP segments are sent in  response).  If  any  "accept  filter"  is
       specified,  incoming  packets  must  match  the specified filters in order for the tool to
       respond with TCP segments.

OPTIONS

       tcp6 takes itS parameters as command-line options. Each of the options  can  be  specified
       with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
       a long name (a string preceded with two hyphen characters, as e.g. "--interface").

       If the tool is instructed to e.g. flood  the  victim  with  TCP  segments  from  different
       sources ("--flood-sources" option), multiple packets may need to be generated.

       tcp6 supports IPv6 Extension Headers, including the IPv6 Fragmentation Header, which might
       be of use to circumvent layer-2  filtering  and/or  Network  Intrusion  Detection  Systems
       (NIDS).  However,  IPv6  extension  headers  are  not  employed  by  default,  and must be
       explicitly enabled with the corresponding options.

       -i INTERFACE, --interface INTERFACE
              This option specifies the network interface that the tool  will  use.  The  network
              interface  must  be specified (i.e., the tool does not select any network interface
              "by default").

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

              This option specifies the link-layer Source Address of the probe packets.  If  left
              unspecified,  the link-layer Source Address of the packets is set to the real link-
              layer address of the network interface. Note: this option is meaningful  only  when
              the underlying link-layer technology is Ethernet.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

              This  option  specifies the link-layer Destination Address of the probe packets. By
              default, the link-layer Destination Address is automatically set to the  link-layer
              address  of  the  destination  host (for on-link destinations) or to the link-layer
              address of the first-hop router. Note: this option  is  meaningful  only  when  the
              underlying link-layer technology is Ethernet.

       -s SRC_ADDR, --src-address SRC_ADDR

              This  option  specifies the IPv6 source address (or IPv6 prefix) to be used for the
              Source Address of the attack packets. If the  "-F"  ("--flood-sources")  option  is
              specified,  this  option  includes  an IPv6 prefix, from which random addresses are
              selected. See the description of the "-F" option for further information on how the
              "-s" option is processed in that specific case.

              Note:  When  operating in "listening" mode, the Source Address is automatically set
              to the Destination Address of the incoming packet.

       -d DST_ADDR, --dst-address DST_ADDR

              This option specifies the IPv6 Destination Address of the victim. It  can  be  left
              unspecified only if the "-L" option is selected (i.e., if the tool is to operate in
              "listening" mode).

              Note: When operating in "listening" mode, the Destination Address is  automatically
              set to the Source Address of the incoming packet.

       -A HOP_LIMIT, --hop-limit HOP_LIMIT

              This option specifies the Hop Limit to be used for the IPv6 packets. It defaults to
              255.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

              This option specifies that a Destination Options header is to be  included  in  the
              outgoing  packet(s).  The extension header size must be specified as an argument to
              this option (the header is  filled  with  padding  options).  Multiple  Destination
              Options headers may be specified by means of multiple "-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

              This  option  specifies  a  Destination  Options  header  to  be  included  in  the
              "unfragmentable part" of the outgoing packet(s). The header size must be  specified
              as an argument to this option (the header is filled with padding options). Multiple
              Destination Options headers may be specified by means of multiple "-U" options.

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

              This option specifies that a Hop-by-Hop Options header is to  be  included  in  the
              outgoing packet(s). The header size must be specified as an argument to this option
              (the header is filled with padding options). Multiple  Hop-by-Hop  Options  headers
              may be specified by means of multiple "-H" options.

       -y FRAG_SIZE, --frag-hdr FRAG_SIZE

              This  option  specifies  that the resulting packet must be fragmented. The fragment
              size must be specified as an argument to this option.

       -P PAYLOAD_SIZE, --payload-size PAYLOAD_SIZE

              This options specifies the size of the TCP payload. It defaults to 0  (i.e.,  empty
              TCP segments).

       -o SRC_PORT, --src-port SRC_PORT

              This option specifies the TCP Source Port.

       -a DST_PORT, --dst-port DST_PORT

              This option specifies the TCP/UDP Destination Port.

       -X TCP_FLAGS, --tcp-flags TCP_FLAGS

              his  option  is  used to set specific the TCP flags. The flags are specified as "F"
              (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK), "U" (URG), "X" (no flags).

              If this option is not set, and the tool operates in listening mode,  the  flags  of
              the  generated TCP segments are automatically set as follows: TCP segments elicited
              by SYNs have both the SYN and ACK flags set. All other TCP segments  have  the  ACK
              bit set.

       -q SEQ_NUMBER, --tcp-seq SEQ_NUMBER

              This  option  specifies the Sequence Number of the TCP header. If left unspecified,
              the Sequence Number is randomized.

              If this option is left unspecified and the tool is operating in listening mode, the
              TCP  Sequence  Number  is  set  to  the  Acknowledgement  Number of the packet that
              elicited the TCP segment.

       -Q ACK_NUMBER, --tcp-ack ACK_NUMBER

              This option specifies the  Acknowledgment  Number  of  the  TCP  segment.  If  left
              unspecified, the Acknowledgment Number is randomized.

              If this option is left unspecified and the tool is operating in listening mode, the
              TCP Sequence Number is set  to  the  Acknowledgement  Number  of  the  packet  that
              elicited the TCP segment.

       -V URG_POINTER, --tcp-urg URG_POINTER

              This  option  specifies the Urgent Pointer of the TCP segment. If left unspecified,
              the Urgent Pointer is set to 0.

       -w TCP_WINDOW, --tcp-win TCP_WINDOW

              This option specifies the value of the TCP Window. If left unspecified, the  Window
              is randomized.

       -W WIN_MODE, --window-mode WIN_MODE

              This  option  specifies  how  to  operate  the  TCP window by means of the WIN_MODE
              parameter. Two modes are supported:

                 + closed
                 + modulated

              When the "closed" mode is selected, the TCP window will be set to 0 (i.e.,  "closed
              window"). If the tool estabishes new TCP connections, the initial window advertised
              during the TCP three-way handshake will be that specified  with  the  '-w'  option.
              However, once the connection has been established, the TCP window will be set to 0.
              This allows for the implementation of the so-called Netkill  attack,  discussed  in
              Section  7.1.1  of  the  document  "Security Assessment of the Transmission Control
              Protocol                  (TCP)"                   (available                   at:
              <http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>).

              When  the  "modulated"  mode  is  selected,  the  TCP window will oscillate between
              alternate between two different values. These values, along the amount of time that
              each  of them is "active", can be specified by means of the '-M' ("--win-modulate")
              option. The first of the aforementioned values is meant to close the window  (hence
              it  will typically be zero), while the second is meant to open the window. The goal
              of alternating between these two values  is  to  circumvent  a  trivial  mitigation
              against  Zero-Window  attacks implemented by some stacks where they enforce a limit
              on the maximum amount of time that the TCP advertised  by  a  remote  peer  remains
              fully-closed  (i.e.,  set  to  0).  By changing the advertised window to some other
              (small) value every now and then, such a trivial "counter-measure"  can  be  easily
              circumvented.

       -M WIN_MOD_MODE, --win-modulation WIN_MOD_MODE

              This option specifies the two values (and their respective duration) over which the
              TCP   window   will   alternate.   The   value   WIN_MOD_MODE   hast   the   syntax
              "WIN1:TIME1:WIN2:TIME2", where the WIN1 and WIN2 parameters specify the window size
              for each of these periods, while the  TIME1  and  TIME2  parameters  specify  their
              respective  time  lengths.  For example, setting "--win-modulation 0:60:10:30" will
              cause tcp6 to alternate between advertising a TCP window of 0 bytes for 60 seconds,
              and advertising a TCP window of 10 bytes for 30 seconds.

              This  option  will  be  typically  employed  along with one of the flooding options
              ("--flood-sources" an/or  "--flood-ports")  and  the  "--data"  option,  such  that
              multiple   TCP  connections  are  established,  and  the  target  TCPs  keep  their
              retransmission buffer full. In this scenario, the TCP  window  "modulation"  option
              can  be  leveraged to evade trivial counter-measures implemented by some TCP stacks
              that try to mitigate Zero-Window attacks by enforcing a limit on the maximum amount
              of time the TCP window can be in the "closed state".

       -c OPEN_MODE, --open-mode OPEN_MODE

              This  option  specifies  the connection-establishment mode. The following modes are
              available:

                 + simultaneous
                 + passive
                 + abort

              When the "simultaneous" mode  is  selected,  tcp6  will  respond  to  incoming  SYN
              segments  with  other SYN segments, thus simulating a "simultaneous open" scenario.
              When the "passive" mode is selected, tcp6 will respond  to  incoming  SYN  segments
              with  the  typical  SYN/ACK  segments,  thus  leading to the traditional "three-way
              handshake". Finally, when the  "abort"  mode  si  selected,  tcp6  wil  respond  to
              incoming SYN segments with RST segments, thus aborting the incoming connections.

              For  the most part, this option is useful for assessing the correct behavior of TCP
              implementations (e.g., support for "simultaneous opens").

       -C CLOSE_MODE, --close-mode CLOSE_MODE

              This option specifies the the connection-termination mode. The following modes  are
              available:

                 + simultaneous
                 + passive
                 + abort
                 + active
                 + FIN-WAIT-1
                 + FIN-WAIT-2
                 + LAST-ACK

              When  the  "simultaneous"  mode  is  selected,  tcp6  will  respond to incoming FIN
              segments with FIN segments, thus simulating a "simultaneous close"  scenario.  When
              the "passive" mode is selected, tcp6 will respond to incoming FIN segments with the
              typical  FIN/ACK  segments,  thus  leading  to  the  traditional  TCP   connection-
              termination  sequence.  When  the  "abort"  mode  is  selected, tcp6 wil respond to
              incoming  FIN  segments  with  RST  segments,  thus  aborting   the   corresponding
              connections.   When   the   "active"   mode   is  selected,  tcp6  will  start  the
              connection-termination sequence by sending a FIN segment.

              The FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK modes will result in  connections  in  the
              FIN-WAIT-1,  FIN-WAIT-2,  and  LAST-ACK,  respectively.  It should be noted that in
              order for the remote TCPs to transition to the FIN-WAIT-1 or FIN-WAIT-2 states, the
              remote  TCPs  must  perform the "active close". This can be trivially triggered for
              application protocols such as HTTP, but might not be feasible for other protocols.

       -Z DATA, --data DATA

              This option is used to specify a payload that should be  sent  as  the  first  data
              segment  once  a  TCP connection has been established. It will typically include an
              application-layer request. Note: the string used for the DATA parameter can contain
              the  "\r" and "\n" C-style escape senquenced for representing "carriage return" and
              "line feed" (respectively).

              As an example, this option could be employed to send an  HTTP  request  if  set  as
              '--data "GET / HTTP/1.0\r\n\r\n"'.

       -N, --not-ack-data

              This  option instructs tcp6 not to acknowledge the TCP payload of incoming segments
              (when operating in listening mode).

              Note: By default, tcp6 will acknowledge both the  payload  and  the  flags  of  the
              incoming TCP segments.

       -n, --not-ack-flags

              This  option  instructs  tcp6  not to acknowledge the TCP flags (SYN and/or FIN) of
              incoming segments (when operating in listening mode).

              Note: By default, tcp6 will acknowledge both the  payload  and  the  flags  of  the
              incoming TCP segments.

       -j SRC_ADDR, --block-src SRC_ADDR

              This  option  sets  a  block  filter  for the incoming packets, based on their IPv6
              Source Address. It allows the specification of an  IPv6  prefix  in  the  form  "-j
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst DST_ADDR

              This  option  sets  a  block  filter  for the incoming packets, based on their IPv6
              Destination Address. It allows the specification of an IPv6 prefix in the form  "-k
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -J LINK_ADDR, --block-link-src LINK_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Source Address. The option must be followed by  a  link-layer  address  (currently,
              only Ethernet is supported).

       -K LINK_ADDR, --block-link-dst LINK_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Destination  Address.  The  option  must  be  followed  by  a  link-layer   address
              (currently, only Ethernet is supported).

       -b SRC_ADDR, --accept-src SRC_ADDR

              This  option  sets  an  accept filter for the incoming packets, based on their IPv6
              Source Address. It allows the specification of an  IPv6  prefix  in  the  form  "-b
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

              This  option  sets  a  accept  filter for the incoming packets, based on their IPv6
              Destination Address. It allows the specification of an IPv6 prefix in the form  "-g
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -B LINK_ADDR, --accept-link-src LINK_ADDR

              This  option  sets  an accept filter for the incoming packets, based on their link-
              layer Source  Address.  The  option  must  be  followed  by  a  link-layer  address
              (currently, only Ethernet is supported).

       -G LINK_ADDR, --accept-link-dst LINK_ADDR

              This  option  sets  an accept filter for the incoming packets, based on their link-
              layer Destination Address. The option must be  followed  by  a  link-layer  address
              (currently, only Ethernet is supported).

       -F N_SOURCES, --flood-sources N_SOURCES

              This  option instructs the tool to send multiple TCP segments with different Source
              Addresses. The number of different source addresses is specified  as  "-F  number".
              The  Source  Address  of  each  TCP  segment  is  randomly selected from the prefix
              specified by the "-s" option. If the "-F" option is specified but the  "-s"  option
              is  left  unspecified,  the Source Address of the packets is randomly selected from
              the prefix ::/0.

       -T N_PORTS, --flood-ports N_PORTS

              This option instructs the tool to send multiple TCP segments with different  Source
              Ports. The Source Port of each TCP segment is randomly selected from the whole port
              number space (0-65535).

       -l, --loop

              This option instructs the tcp6 tool to send periodic TCP  segments  to  the  victim
              node.  The amount of time to pause between sending TCP segments can be specified by
              means of the "-z" option, and defaults to 1 second. Note that this option cannot be
              set in conjunction with the "-L" ("--listen") option.

       -z, --sleep

              This  option  specifies  the  amount  of time to pause between sending TCP segments
              (when the "--loop" option is set). If left unspecified, it defaults to 1 second.

       -r RATE, --rate-limit RATE

              This option specifies the rate limit to use when performing a remote address  scan.
              "RATE"  should  be  specified  as  "xbps"  or  "xpps"  (with  "x" being an unsigned
              integer), for rate-limits in bits per second or packets per second, respectively.

       -L, --listen

              This instructs the tcp6 tool to operate in listening mode (possibly after attacking
              a  given  node).  Note that this option cannot be used in conjunction with the "-l"
              ("--loop") option.

       -p PROBE_MODE, --probe-mode PROBE_MODE

              This option instructs tcp6 to operate in probe mode. The  specific  probe  mode  is
              specified  as  an  argument  to  this  option  (currently,  only  "script"  mode is
              supported). In probe mode, tcp6  sends  probe  segments,  and  waits  for  response
              packets. The response packets are decoded based on the selected probe mode.

              In the "script" probe mode, the tool decodes TCP segments as follows:

                   RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...

              Where  the  string  RESPONSE  is  fixed,  and  RESPONSE_TYPE indicates the response
              received. As of this version of the tool, the following  RESPONSE_TYPE  values  are
              supported:

                 + TCP6: Indicates that the tool received a TCP/IPv6 packet
                 + TIMEOUT: Indicates that the tool received no response

              If  RESPONSE_TYPE  is TCP6, RESPONSE code contains the TCP flags set in the receive
              TCP segment. The TCP flags are encoded as "F" (FIN),  "S"  (SYN),  "R"  (RST),  "P"
              (PSH), "A" (ACK), and "U" (URG).

              Possibe output lines of the tool are:

                  RESPONSE:TIMEOUT:
                  RESPONSE:TCP6:RA:

              Note:  Future versions of the tool will also decode ICMPv6 error messages, and will
              include additional data regarding the  incoming  TCP  segments  (e.g.,  ACK  value,
              payload size, etc.).

       -v, --verbose

              This  option  instructs the tcp6 tool to be verbose.  When the option is set twice,
              the tool is "very verbose", and the tool  also  informs  which  packets  have  been
              accepted or discarded as a result of applying the specified filters.

       -h, --help

              Print help information for the tcp6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the tcp6 tool.

       Example #1

       # tcp6 -s fc00:1::/64 -d fc00:1::1 -a 22 -X S -F 100 -l -z 1 -v

       In  this  example  the  tcp6  tool  is  essentially employed to perform a SYN-flood attack
       against port number 22 of the host fc00:1::1. The tool uses the network  interface  "eth0"
       (as  specified  by  the  "-i"  option),  and  sends SYN segments (as specified by the "-X"
       option) from the prefix  fc00:1::/64  (as  specified  by  the  "-s"  option)  to  port  22
       (specified by the "-a" option) at the destination address fc00:1::1 (specified by the "-d"
       option). The tool sends TCP segments from 100 different addresses  (as  specified  by  the
       "-F"  option)  every one second (as specified by the "-l" and "-z" options). The tool will
       be verbose (as specified by the "-v" option).

       Example #2

       # tcp6 -i eth0 -L -X RA -v

       In this example, the tcp6 tool is  employed  to  perform  a  TCP  connection-reset  attack
       against  all   active TCP connections in the local network. The tool listens ("-L") on the
       interface eth0 ("-i eth0"), and responds to any TCP segments with a RST packet (with  both
       the RST and ACK bits set). The tool will be verbose.

       Example #3

       #  tcp6  -i  eth0  -d  fc00:1::1  -a  80  -L  -s  fc00:1::/112 -l -r 1pps -v --data "GET /
       HTTP/1.0\r\n\r\n" --close-mode last-ack --flood-ports 10

       Flood the target system (fc00:1::1) with connections that stay in the LAST-ACK  state  (on
       port  80), sending packets at a rate of one packet per second. For each forged address, 10
       different (forged) ports are used. For each connection, tcp6 will send an HTTP application
       request.

       Example #4

       #  tcp6  -i  eth0  -d fc00:1::1 -a 80 -L -s fc00:1::/112 -l -r 1000pps --tcp-flags auto -v
       --data "GET / HTTP/1.0\r\n\r\n" --flood-ports 10 --window-mode close

       Flood the target node (fc00:1::1) with TCP connections (on port 80).  On  each  connection
       that  is  established,  an HTTP request is sent, and the TCP window is immediately closed.
       For each forged IPv6 source address ten different TCP source  ports  are  randomized.  The
       bandwidth of the attack is limited to 1000 pps.

       Example #5

       #  tcp6  -d  fc00:1::1  -a 80 --tcp-flags A --dst-opt-hdr 8 --payload-size 50 --probe-mode
       script

       Send a probe TCP segment to TCP port 80 at fc00:1::1. The probe packet consists of an IPv6
       packet  with  a Destination Options header of 8 bytes, and an IPv6 payload consisting of a
       TCP segment with the ACK bit set, and 50 data bytes. The probe mode is "script".

SEE ALSO

       "Security  Assessment  of  the  Transmission  Control  Protocol  (TCP)"   (available   at:
       <http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>)  for a discussion of
       TCP vulnerabilities.

AUTHOR

       The tcp6  tool  and  the  corresponding  manual  pages  were  produced  by  Fernando  Gont
       <fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.

COPYRIGHT

       Copyright (c) 2011-2013 Fernando Gont.

       Permission  is  granted to copy, distribute and/or modify this document under the terms of
       the GNU Free Documentation License, Version 1.3 or any later version published by the Free
       Software  Foundation;  with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts.  A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.

                                                                                          TCP6(1)