Provided by: ipv6toolkit_2.0+ds.1-2_amd64 bug

NAME

       frag6 - A security assessment tool for IPv6 fragmentation

SYNOPSIS

       frag6 [-i INTERFACE] -d DST_ADDR [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-s SRC_ADDR[/LEN]]
       [-A HOP_LIMIT] [-u DST_OPT_HDR_SIZE] [-U  DST_OPT_U_HDR_SIZE]  [-H  HBH_OPT_HDR_SIZE]  [-P
       FRAG_SIZE]  [-O  FRAG_TYPE]  [-o  FRAG_OFFSET]  [-I  FRAG_ID] [-T] [-n] [-p | -W | -X | -F
       N_FRAGS] [-l] [-z SECONDS] [-v] [-h]

DESCRIPTION

       frag6 is a security assessment tool for attack vectors based on IPv6 fragments. It is part
       of  the  SI6  Networks' IPv6 Toolkit: a security assessment and trouble-shooting suite for
       the IPv6 protocols.

OPTIONS

       frag6 takes it parameters as command-line options. Each of the options  can  be  specified
       with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
       a long name (a string preceded with two hyphen characters, as e.g. "--interface").

       -i INTERFACE, --interface INTERFACE
              This option specifies the  network  interface  that  the  tool  will  use.  If  the
              destination  address  ("-d"  option) is a link-local address, the interface must be
              explicitly specified. The interface may also be specified along with a  destination
              address, with the "-d" option.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

              This  option  specifies the link-layer Source Address of the probe packets. If left
              unspecified, the link-layer Source Address of  the  packets  is  set  to  the  real
              link-layer address of the network interface.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

              This  option  specifies the link-layer Destination Address of the probe packets. By
              default, the link-layer Destination Address is automatically set to the  link-layer
              address  of  the  destination  host (for on-link destinations) or to the link-layer
              address of the first-hop router.

       -s SRC_ADDR, --src-address SRC_ADDR

              This option specifies the IPv6 source address (or IPv6 prefix) to be used  for  the
              Source  Address  of  the outgoing packets. If an IPv6 prefix is specified, the IPv6
              Source Address of the outgoing packets will be randomized from that prefix.

       -d DST_ADDR, --dst-address DST_ADDR

              This option specifies the IPv6 Destination Address of the target node. This  option
              cannot be left unspecified.

       -A HOP_LIMIT, --hop-limit HOP_LIMIT

              This  option  specifies  the Hop Limit to be used for the IPv6 packets. By default,
              the Hop Limit is randomized.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

              This option specifies that a Destination Options header is to be  included  in  the
              outgoing  packet(s).  The extension header size must be specified as an argument to
              this option (the header is  filled  with  padding  options).  Multiple  Destination
              Options headers may be specified by means of multiple "-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

              This  option  specifies  a  Destination  Options  header  to  be  included  in  the
              "unfragmentable part" of the outgoing packet(s). The header size must be  specified
              as an argument to this option (the header is filled with padding options). Multiple
              Destination Options headers may be specified by means of multiple "-U" options.

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

              This option specifies that a Hop-by-Hop Options header is to  be  included  in  the
              outgoing packet(s). The header size must be specified as an argument to this option
              (the header is filled with padding options). Multiple  Hop-by-Hop  Options  headers
              may be specified by means of multiple "-H" options.

       -P FRAG_SIZE, --frag-size FRAG_SIZE

              This option specifies the IPv6 fragment payload size.

       -O FRAG_TYPE, --frag-type FRAG_TYPE

              This  option  specifies  the fragment "type". Possible types are "first", "middle",
              "last", and "atomic". If the selected fragment type is "first", the Fragment Offset
              is  automatically  set to 0, and the "M" ("More fragments") bit is set to 1. If the
              selected fragment type is "middle", the Fragment Offset is set to a non-zero value,
              and  the "M" bit is set to 1. If the selected fragment type is "last", the Fragment
              Offset is set to a non-zero value, and the "M" bit is set to  0.  Finally,  if  the
              selected  fragment  type  is "atomic", the Fragment Offset is set to 0, and the "M"
              bit is set to 0.

       -o FRAG_OFFSET, --frag-offset FRAG_OFFSET

              This option specifies the Fragment Offset. The Fragment Offset specified  by  means
              of  this  option  overrides  the  value  implicitly  specified by means of the "-O"
              option.

       -I FRAG_ID, --frag-id FRAG_ID

              This option specifies the fragment "Identification" value. If left unspecified, the
              "Identification" value is randomized.

       -T, --no-timestamp

              When  assessing  the  fragment  reassembly policy of a target, the fragment payload
              includes a timestamp value that is used to measure the fragment reassembly timeout.
              If  this option is set, such timestamp will not be included in the payload (and the
              tool will not be able to measure the fragment reassembly timeout).

       -n, --no-responses

              This option instructs the frag6 tool not to display the responses to the  fragments
              sent.  This  option  is  useful when performing a fragmentation-flooding attack, as
              multiple response packets (ICMPv6 errors) might be received.

       -p, --frag-reass-policy

              This option instructs the tool to determine the IPv6 fragment reassembly policy  of
              the  target.  In  order to determine the aforementioned policy, the tool performs a
              number of tests to determine how the target node processes  overlapping  fragments.
              The following figures illustrate the sequence of packets that correspond to each of
              the tests.

              Test #1

                     Frag. #1:  AAAAAAAAAAA
                     Frag. #2:         BBBBBBBBBBB

              Test #2

                     Frag. #1:  AAAAAAAAAA
                     Frag. #2:                    BBBBBBBBBBB
                     Frag. #3:         CCCCCCCCCCC

              Test #3

                     Frag. #1:  AAAAAAAAAA
                     Frag. #2:                    BBBBBBBBBBB
                     Frag. #3:            CCCCCCCCCCC

              Test #4

                     Frag. #1:  AAAAAAAAAA
                     Frag. #2:                    BBBBBBBBBBB
                     Frag. #3:            CCCCCCCCCCCCCCCCCCCCCCCCCC

              Test #5

                     Frag. #1:  AAAAAAAAAA
                     Frag. #2:                    BBBBBBBBBBB
                     Frag. #3:                           CCCCCCCCCCC
                     Frag. #4:            DDDDDDDD

          For each of the aforementioned tests, the tool reports which
                 copy of the data is used by the target host. If there is no
                 response from the host, the tool informs whether the host
                 silently dropped the fragments, or sent an ICMPv6 Time
                 Exceeded error message.

       -W, --frag-id-policy

              This  option  instructs  the  tool  to  determine  the  fragment   "Identification"
              generation policy. The tool sends a number of probe packets to the target node, and
              samples the "Identification" values of the corresponding response packets. Based on
              the sampled values, it tries to infer the fragment Identification generation policy
              of the target.

              The tool will first send a number of fragments from single IPv6 address, such  that
              the  per-destination  policy  is  determined.  The  tool will then send a number of
              fragments from random IPv6 addresses (from the same prefix as the first  fragments)
              such that the "global" fragment Identification generation policy can be inferred.

              The  tool  computes the expected value and the standard deviation of the difference
              between consecutive-sampled Identification values (IDn – IDn-1), with the intent of
              inferring the fragment Identification algorithm at the target node.

              For  small values of the standard deviation, the fragment Identification is assumed
              to be a monotonically-increasing function with increments of the "expected  value".
              For  large values of the standard deviation, the fragment Identification is assumed
              to be randomized, and the expected value and standard deviation are informed to the
              user,  as  indicators  of  the  "quality" of the fragment Identification generation
              algorithm.

       -X, --pod-attack

              This option instructs the tool to perform a "Ping  of  Death"  attack  against  the
              specified target.

       -F FRAG_NUMBER, --flood-frags FRAG_NUMBER

              This  option  instructs the tool to send the specified number of fragments back-to-
              back to the target node. This option is likely to be used in conjunction  with  the
              "-l" option, such that the process is repeated in a loop.

       -l, --loop

              This  option  instructs  the  frag6 tool to periodically send IPv6 fragments to the
              target node. The amount of time to pause between sending a batch of  fragments  can
              be specified by means of the "-z" option, and defaults to 1 second.

       -z SECONDS, --sleep SECONDS

              This option specifies the amount of time that the tool should pause between sending
              btaches of IPv6 fragments (when the "--loop" option is set). If  left  unspecified,
              it defaults to 1 second.

       -v, --verbose

              This  option  instructs  the frag6 tool to be verbose.  If this option is set twice
              and the -W option was set, the tool outputs  the  sampled  Fragment  Identification
              values (in addition to other information).

       -h, --help

              Print help information for the frag6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the frag6 tool.

       Example #1

       # frag6 --frag-id-policy -d fc00:1::1 -v

       Assess the fragment Identification generation policy of the host "fc00:1::1". Be verbose.

       Example #2

       # frag6 --frag-reass-policy -d fc00:1::1 -v

       Assess the fragment reassembly policy of the host "fc00:1::1". Be verbose.

       Example #3

       # frag6 --frag-type atomic -d fc00:1::1 -v

       Send an IPv6 atomic fragment to the host "fc00:1::1". Be verbose.

       Example #4

       # frag6 -s ::/0 --flood-frags 100 -l -z 5 -d fc00:1::1 -v

       Send  100  fragments  (every  5 seconds) to the host fc00:1::1, using a forged IPv6 Source
       Address from the prefix ::/0. The aforementioned fragments should have an offset of 0, and
       the M bit set (i.e., be first-fragments). Be verbose.

AUTHOR

       The  frag6  tool  and  the  corresponding  manual  pages  were  produced  by Fernando Gont
       <fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.

COPYRIGHT

       Copyright (c) 2011-2013 Fernando Gont.

       Permission is granted to copy, distribute and/or modify this document under the  terms  of
       the GNU Free Documentation License, Version 1.3 or any later version published by the Free
       Software Foundation; with no Invariant Sections, no Front-Cover Texts, and  no  Back-Cover
       Texts.  A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.

                                                                                         FRAG6(1)