Provided by: ipv6toolkit_2.0+ds.1-2_amd64 bug

NAME

       rd6 - A security assessment tool for attack vectors based on ICMPv6 Redirect messages

SYNOPSIS

       rd6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR]
       [-A  HOP_LIMIT]  [-y  FRAG_SIZE]  [-u  DST_OPT_HDR_SIZE]   [-U   DST_OPT_U_HDR_SIZE]   [-H
       HBH_OPT_HDR_SIZE]  [-r  RD_DESTADDR/LEN]  [-t  RD_TARGETADDR/LEN]  [-p  PAYLOAD_TYPE]  [-P
       PAYLOAD_SIZE] [-n] [-c HOP_LIMIT] [-x SRC_ADDR] [-a SRC_PORT] [-o DST_PORT] [-X TCP_FLAGS]
       [-q TCP_SEQ] [-Q TCP_ACK] [-V TCP_URP] [-w TCP_WIN] [-M] [-O] [-N] [-E LINK_ADDR] [-e] [-j
       PREFIX[/LEN]] [-k PREFIX[/LEN]]  [-J  LINK_ADDR]  [-K  LINK_ADDR]  [-b  PREFIX[/LEN]]  [-g
       PREFIX[/LEN]]  [-B  LINK_ADDR]  [-G  LINK_ADDR]  [-f]  [-R  N_DESTS]  [-T  N_TARGETS]  [-F
       N_SOURCES] [-L | -l] [-z] [-v] [-h]

DESCRIPTION

       rd6 allows the assessment of IPv6 implementations with respect  to  a  variety  of  attack
       vectors  based  on  ICMPv6  Redirect messages. This tool is part of the SI6 Networks' IPv6
       Toolkit: a security assessment suite for the IPv6 protocols.

       This tool has two modes of operation: active and passive. In active mode, the tool attacks
       a specific target, while in passive mode the tool listens to traffic on the local network,
       and launches an attack in response to such traffic. Active mode is  employed  if  an  IPv6
       Destination  Address,  a  Redirect  Destination Address, and a Redirect Target Address are
       specified. Passive  mode  is  employed  if  the  "-L"  option  (or  its  long  counterpart
       "--listen") is set. If both an attack target and the "-L" option are specified, the attack
       is launched against the specified target, and then the tool enters passive mode to respond
       incoming packets with ICMPv6 Redirect messages.

       The  tool supports filtering of incoming packets based on the Ethernet Source Address, the
       Ethernet Destination Address, the IPv6 Source Address, and the IPv6  Destination  Address.
       There  are  two  types  of  filters:  "block  filters" and "accept filters". If any "block
       filter" is specified, and the incoming packet matches any of those filters, the message is
       discarded  (and thus no Redirect messages are sent in response). If any "accept filter" is
       specified, incoming packets must match the specified filters in  order  for  the  tool  to
       respond with Redirect messages.

OPTIONS

       rd6 takes it parameters as command-line options. Each of the options can be specified with
       a short name (one character preceded with the hyphen character, as e.g. "-i")  or  with  a
       long name (a string preceded with two hyphen characters, as e.g. "--interface").

       Depending  on  the  amount  of  information (i.e., options) to be conveyed into the ICMPv6
       Redirect messages, it may be necessary for the rd6 tool to  split  that  information  into
       more  than  one Redirect message. Also, if the tool is instructed to e.g. flood the victim
       with Redirect messages from different sources ("--flood-sources" option), multiple packets
       may  need  to  be  generated.  rd6  supports  IPv6 fragmentation, which might be of use to
       circumvent layer-2 filtering and/or Network Intrusion Detection Systems  (NIDS).  However,
       IPv6 fragmentation is not enabled by default, and must be explicitly enabled with the "-y"
       option.

       -i INTERFACE, --interface INTERFACE
              This option specifies the  network  interface  that  the  tool  will  use.  If  the
              destination  address  ("-d"  option)  is  a  link-local address, or the "listening"
              ("-L") mode is selected, the interface must be explicitly specified. The  interface
              may also be specified along with a destination address, with the "-d" option.

       -s SRC_ADDR, --src-address SRC_ADDR

              This  option  specifies the IPv6 source address (or IPv6 prefix) to be used for the
              Source Address of the attack packets. This address  typically  corresponds  to  the
              IPv6  link-local  address  of  the  default router. If the "-F" ("--flood-sources")
              option is specified, this  option  includes  an  IPv6  prefix,  from  which  random
              addresses  are  selected.  See  the  description  of  the  "-F"  option for further
              information on how the "-s" option is processed in that specific case.

              Note:  Instead  of  specifying  the  "Source  Address"  with   this   option,   the
              "--learn-router"  option  could be set, such that the tool automatically learns the
              IPv6 link-local address of the default  router,  and  uses  this  address  for  the
              "Source Address" of the Redirect messages.

       -d DST_ADDR, --dst-address DST_ADDR

              This  option  specifies  the IPv6 Destination Address of the victim. It can be left
              unspecified only if the "-L" option is selected (i.e., if the tool is to operate in
              "Passive" mode).

              When  operating  in  passive  mode  ("-L"  option), the IPv6 Destination Address is
              selected according to the IPv6 Source Address of the incoming packet.

       --hop-limit, -A

              This option specifies the Hop Limit to  be  used  for  the  Redirect  messages.  It
              defaults  to  255. Note that IPv6 nodes are required to check that the Hop Limit of
              incoming Redirect messages is 255. Therefore, this option is only useful to  assess
              whether an IPv6 implementation fails to enforce the aforementioned check.

       -y SIZE, --frag-hdr SIZE

              This  option  specifies  that the resulting packet must be fragmented. The fragment
              size must be specified as an argument to this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

              This option specifies that a Destination Options header is to be  included  in  the
              resulting  packet.  The  extension  header size must be specified as an argument to
              this option (the header is  filled  with  padding  options).  Multiple  Destination
              Options headers may be specified by means of multiple "-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

              This  option  specifies  a  Destination  Options  header  to  be  included  in  the
              "unfragmentable part" of the resulting packet. The header size must be specified as
              an  argument  to  this option (the header is filled with padding options). Multiple
              Destination Options headers may be specified by means  of  multiple  "-U"  options.
              This  option  is  only  valid  if  the  "-y" option is specified (as the concept of
              "unfragmentable part" only makes sense when fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

              This option specifies that a Hop-by-Hop Options header is to  be  included  in  the
              resulting  packet.  The header size must be specified as an argument to this option
              (the header is filled with padding options). Multiple  Hop-by-Hop  Options  headers
              may be specified by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

              This  option specifies the link-layer Source Address of the Redirect messages (this
              option is only valid for Ethernet interfaces). If left unspecified, the  link-layer
              Source  Address is randomized. However, if this option is left unspecified, but the
              "--learn-router" option is set, the link-layer Source Address is set to that of the
              default router for the local network.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

              This  option  specifies the link-layer Destination Address of the Redirect messages
              (this option is only valid for Ethernet interfaces). If left unspecified, it is set
              to the "all-nodes link-local multicast" address (ff02::1).

              When operating in passive mode, the link-layer Destination Address is set according
              to the link-layer Source Address of the incoming packet.

       --redir-target, -t

              This option specifies the Target Address of the  Redirect  messages.  If  the  "-T"
              ("--flood-targets")  option  is  specified, this option specifies an IPv6 prefix in
              the form "-t prefix/prefixlen". See the description of the "-T" option for  further
              information on how the "-t" option is processed in that specific case.

              This option can be left unspecified only if the "--make-onlink" option is selected,
              in which case the Redirect Target Address is set to the same value as the  Redirect
              Destination address.

       --redir-dest, -r

              This   option   specifies   the   Redirect   Destination   Address.   If  the  "-R"
              ("--flood-dests") option is specified, this option specifies an IPv6 prefix in  the
              form  "-r  prefix/prefixlen".  See  the  description of the "-R" option for further
              information on how the "-t" option is processed in that specific case.

       --payload-type, -p

              This option specifies the payload type to be  included  in  the  Redirect  Payload.
              Currently  supported  payloads  are  "TCP",  "UDP",  and  "ICMP6". The payload-type
              defaults to "TCP".

       --payload-size, -P

              Size of the payload to be included in the Redirect message (with the  payload  type
              being  specified  by  the  "-p"  option). By default, as many bytes as possible are
              included, without exceeding the minimum IPv6 MTU (1280 bytes).

       --no-payload, -n

              This option specifies that no payload (i-e-, no Redirected Header option) should be
              included in the Redirect message.

       --ipv6-hlim, -c

              This  option  specifies the Hop Limit of the IPv6 packet included in the payload of
              the Redirect message. It defaults to 255.

       --peer-addr, -x

              This option specifies the IPv6 Source Address of  the  Redirect  payload.  If  left
              unspecified,  the  IPv6  Source  Address of the Redirect payload is set to the same
              value as the IPv6 Destination Address of the packet. This option is  only  employed
              for packets sent in "active" mode.

              Note:  this option might be useful to check whether an implementation validates the
              contents of the Redirect message.

       --redir-port, -o

              This option specifies the Destination Port of the TCP or UDP  packet  contained  in
              the Redirect payload.

              Note: This option is meaningful only if "TCP" or "UDP" have been specified with the
              "-p" option.

       --peer-port, -a

              This option specifies the Source Port of the TCP or UDP  packet  contained  in  the
              Redirect payload.

              Note: This option is meaningful only if "TCP" or "UDP" have been specified with the
              "-p" option.

       --tcp-flags, -X

              This option specifies the flags  of  the  TCP  header  contained  in  the  Redirect
              payload. The flags are specified as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A"
              (ACK), "U" (URG), "X" (no flags). If left uspecified, only the "ACK" bit is set.

              Note: This option is meaningful only if "TCP" has  been  specified  with  the  "-p"
              option.

       --tcp-seq, -q

              This  option  specifies  the  Sequence  Number  of  the TCP header contained in the
              Redirect payload. If left unspecified, the Sequence Number is randomized.

              Note: This option is meaningful only if "TCP" has  been  specified  with  the  "-p"
              option.

       --tcp-ack, -Q

              This  option specifies the Acknowledgment Number of the TCP header contained in the
              Redirect payload. If left unspecified, the Acknowledgment Number is randomized.

              Note: This option is meaningful only if "TCP" has  been  specified  with  the  "-p"
              option.

       --tcp-urg, -V

              This  option  specifies  the  Urgent  Pointer  of  the  TCP header contained in the
              Redirect payload. If left unspecified, the Urgent Pointer is set to 0.

              Note: This option is meaningful only if "TCP" has  been  specified  with  the  "-p"
              option.

       --tcp-win, -w

              This  option  specifies  the  Window  of  the  TCP header contained in the Redirect
              payload. If left unspecified, the Window is randomized.

              Note: This option is meaningful only if "TCP" has  been  specified  with  the  "-p"
              option.

       --resp-mcast, -M

              This  option specifies that, when operating in "passive" mode, the tool should also
              respond to packets sent to multicast addresses. By default, the tool does not  send
              Redirects in response to packets sent to multicast addresses.

       --make-onlink, -O

              This option instructs the tool to set the Redirect Target Address to the same value
              as the Redirect Destination Address, thus  causing  the  specified  address  to  be
              considered "on-link".

       --learn-router, -N

              This  option  instructs  the tool to learn the link-layer and the (link-local) IPv6
              addresses  of  the  local  router  by  means  of  Router  Solicitation  and  Router
              Advertisement messages. If the IPv6 Source Address or the link-layer Source Address
              are left unspecified, the corresponding values learned with  this  option  will  be
              used.

              Note:  This option is very useful to avoid having to manually enter the IPv6 and/or
              Ethernet addresses of the router.

       --target-lla-opt, -E

              This option specifies the contents of a target  link-layer  address  option  to  be
              included  in the Redirect messages. If a single option is specified, it is included
              in all the outgoing Redirect messages. If more than one target  link-layer  address
              is  specified  (by  means  of multiple "-E" options), and all the resulting options
              cannot be conveyed into a single Redirect message, multiple Redirect messages  will
              be sent as needed.

       --add-tlla-opt, -e

              This option instructs the rd6 tool to include a target link-layer address option in
              the Redirect messages that it sends. When this option is employed,  the  link-layer
              Source  Address  must  be  specified,  and  such  value will be used for the target
              link-layer address option. The difference between this option and the  "-E"  option
              is  that  the "-e" option does not specify the actual value of the option, but just
              instructs the tool to include a target link-layer address option (the actual  value
              of the option is selected as explained before).

       -j SRC_ADDR, --block-src SRC_ADDR

              This  option  sets  a  block  filter  for the incoming packets, based on their IPv6
              Source Address. It allows the specification of an  IPv6  prefix  in  the  form  "-j
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst DST_ADDR

              This  option  sets  a block filter for the incoming Neighbor Solicitation messages,
              based on their IPv6 Destination Address. It allows the  specification  of  an  IPv6
              prefix  in the form "-k prefix/prefixlen". If the prefix length is not specified, a
              prefix length of "/128" is selected (i.e., the option assumes that  a  single  IPv6
              address, rather than an IPv6 prefix, has been specified).

       -J SRC_ADDR, --block-link-src SRC_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Source Address. The option must be followed by a link-layer address (this option is
              only valid for Ethernet interfaces).

       -K DST_ADDR, --block-link-dst DST_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Destination Address. The option must be followed  by  a  link-layer  address  (this
              option is only valid for Ethernet interfaces).

       -b SRC_ADDR, --accept-src SRC_ADDR

              This  option  sets  an  accept filter for the incoming packets, based on their IPv6
              Source Address. It allows the specification of an  IPv6  prefix  in  the  form  "-b
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

              This  option  sets  a  accept  filter for the incoming packets, based on their IPv6
              Destination Address. It allows the specification of an IPv6 prefix in the form  "-g
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -B SRC_ADDR, --accept-link-src SRC_ADDR

              This  option sets an accept filter for the incoming Neighbor Solicitation messages,
              based on their link-layer  Source  Address.  The  option  must  be  followed  by  a
              link-layer address (this option is only valid for Ethernet interfaces).

       -G DST_ADDR, --accept-link-dst DST_ADDR

              This  option  sets  an  accept  filter  for  the  incoming  packets, based on their
              link-layer Destination Address. The option must be followed by a link-layer address
              (this option is only valid for Ethernet interfaces).

       --sanity-filters, -w

              This  option  automatically  adds an "accept filter" for the link-layer Destination
              Address corresponding to the local router  (either  learned  as  a  result  of  the
              "--learn-router"  option,  or specified by the "-S" option), and a block filter for
              the IPv6 Source Address fe80::/16.

              Note: This option is desirable in virtually all scenarios, such that the tool  does
              not respond to link-local traffic, etc.

       --flood-dests, -R

              This option instructs the rd6 tool to send multiple Redirect messages for different
              Redirect Destination  Addresses.  The  number  of  different  Redirect  Destination
              Addresses  is  specified  as  "-R number". The Redirect Destination Address of each
              packet is randomly selected from the prefix ::/0, unless  a  different  prefix  has
              been specified by means of the "-r" option.

       --flood-targets, -T

              This option instructs the rd6 tool to send multiple Redirect messages for different
              Redirect Target Addresses. The number of different Target Addresses is specified as
              "-T number". The Target Address of each packet is randomly selected from the prefix
              fe80::/64, unless a different prefix has  been  specified  by  means  of  the  "-t"
              option.

       --flood-sources, -F

              This  option  instructs  the tool to send multiple Redirect messages with different
              Source Addresses. The number of different sources is specified as "-F number".  The
              Source  Address  of  each  Redirect  message  is  randomly selected from the prefix
              specified by the "-s" option. If the "-F" option is specified but the  "-s"  option
              is  left  unspecified,  the Source Address of the packets is randomly selected from
              the prefix fe80::/64 (link-local unicast).  It  should  be  noted  that  hosts  are
              required  to discard Redirect messages whose IPv6 Source address does not match the
              (link-local) IPv6 address of the router used for the Redirect Destination Address.

       --loop, -l

              This option instructs the rd6 tool to send periodic Redirect messages to the victim
              node.  The  amount  of  time  to  pause  between  sending  Redirect messages can be
              specified by means of the "-z" option, and defaults to 1  second.  Note  that  this
              option cannot be set in conjunction with the "-L" ("--listen") option.

       --sleep, -z

              This option specifies the amount of time to pause between sending Redirect messages
              (when the "--loop" option is set). If left unspecified, it defaults to 1 second.

       --listen, -L

              This instructs the rd6 tool to operate in passive mode (possibly after attacking  a
              given  node).  Note  that  this  option cannot be used in conjunction with the "-l"
              ("--loop") option.

       --verbose, -v

              This option instructs the rd6 tool to be verbose.  When the option  is  set  twice,
              the  tool  is  "very  verbose",  and  the tool also informs which packets have been
              accepted or discarded as a result of applying the specified filters.

       --help, -h

              Print help information for the rd6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the rd6 tool.

       Example #1

       # rd6 -i eth0 --learn-router --sanity-filters -L --make-onlink -v

       The tool uses the network interface "eth0", and operates in passive  mode  ("-L"  option).
       The  IPv6  and  Ethernet  address of the local router is automatically learned by means of
       RS/RA messages. Basic filters are employed to avoid  responding  to  incorrect/unnecessary
       packets  ("--sanity-filters").  Each  Redirect  message  will  contain the Redirect Target
       Address set to the same value as  the  Redirect  Destination  Address,  thus  causing  the
       corresponding  address  to be considered "on-link" ("--make-onlink" option). The tool will
       print detailed information about the attack ("-v" option).

       Example #2

       # rd6 -i eth0 --learn-router -d 2001:db8::1 -r 2001:db8::/64 -t fe80::bad -R 100 -l -v

       Flood the victim host (specified with the  "-d"  option)  with  batches  of  100  Redirect
       messages  ("-R  100"  option).  Each  Redirect message redirects a random address from the
       prefix "2001:db8::/64" to the address "fe80::bad". The IPv6 and  link-layer  addresses  of
       the   current   local   router   is   dynamically  learned  by  means  of  RS/RA  messages
       ("--learn-router" option). The process is repeated every second  ("-l"  option,  with  the
       default delay of 1 second).

SEE ALSO

       "Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations" (available at:
       <http://www.si6networks.com/tools/ipv6toolkit/si6networks-ipv6-nd-assessment.pdf>)  for  a
       discussion  of  Neighbor  Discovery vulnerabilities, and additional examples of how to use
       the na6 tool to exploit them.

AUTHOR

       The  rd6  tool  and  the  corresponding  manual  pages  were  produced  by  Fernando  Gont
       <fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.

COPYRIGHT

       Copyright (c) 2011-2013 Fernando Gont.

       Permission  is  granted to copy, distribute and/or modify this document under the terms of
       the GNU Free Documentation License, Version 1.3 or any later version published by the Free
       Software  Foundation;  with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts.  A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.

                                                                                           RD6(1)