Provided by: ipv6toolkit_2.0+ds.1-2_amd64 bug

NAME

       nI6  -  A  security  assessment  tool  for attack vectors based on ICMPv6 Node Information
       messages

SYNOPSIS

       ni6 [-i INTERFACE] [-S LINK_SRC_ADDR | -R] [-D LINK_DST_ADDR] [-s SRC_ADDR[/LEN] | -r] [-d
       DST_ADDR]  [-c HOP_LIMIT] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H
       HBH_OPT_HDR_SIZE] [-P SIZE | -6 IPV6_ADDR | -4 IPV4_ADDR | -n NAME | -N LEN |  -x  LEN  -o
       TYPE] [-Z SIZE] [-e] [-C ICMP6_CODE] [-q NI_QTYPE] [-X NI_FLAGS] [-P SIZE | -w IPV6_ADDR |
       -W IPV4_ADDR | -a NAME | -A LEN | -Q LEN -O TYPE] [-E] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]]
       [-J  LINK_ADDR]  [-K  LINK_ADDR]  [-b  PREFIX[/LEN]]  [-g PREFIX[/LEN]] [-B LINK_ADDR] [-G
       LINK_ADDR] [-L | -l] [-z] [-v] [-h]

DESCRIPTION

       ni6 allows the assessment of IPv6 implementations with respect  to  a  variety  of  attack
       vectors  based on ICMPv6 Node Information messages. This tool is part of the SI6 Networks'
       IPv6 Toolkit: a security assessment suite for the IPv6 protocols.

       This tool has two modes of operation: "active" and "listening". In "active" mode, the tool
       attacks  a  specific  target,  while  in  "listening" mode the tool listens to ICMPv6 Node
       Information Query messages on the local network, and sends ICMPv6 Node  Information  Reply
       messages  in  response  to  such  traffic.  Active mode is employed if an IPv6 Destination
       Address is specified. Listening  mode  is  employed  if  the  "-L"  option  (or  its  long
       counterpart  "--listen")  is  set.  If  both  an  attack  target  and  the "-L" option are
       specified, the attack is launched against the specified target, and then the  tool  enters
       listening mode to respond incoming packets with TCP segments.

       The  tool supports filtering of incoming packets based on the Ethernet Source Address, the
       Ethernet Destination Address, the IPv6 Source Address, and the IPv6  Destination  Address.
       There  are  two  types  of  filters:  "block  filters" and "accept filters". If any "block
       filter" is specified, and the incoming packet matches any of those filters, the message is
       discarded  (and  thus  no  ICMPv6  NI Reply messages are sent in response). If any "accept
       filter" is specified, incoming packets must match any of the specified "accept filters" in
       order for the tool to respond with ICMPv6 NI Reply messages.

OPTIONS

       ni6 takes it parameters as command-line options. Each of the options can be specified with
       a short name (one character preceded with the hyphen character, as e.g. "-i")  or  with  a
       long name (a string preceded with two hyphen characters, as e.g. "--interface").

       ni6  supports IPv6 Extension Headers, including the IPv6 Fragmentation Header, which might
       be of use to circumvent layer-2  filtering  and/or  Network  Intrusion  Detection  Systems
       (NIDS).  However,  IPv6  extension  headers  are  not  employed  by  default,  and must be
       explicitly enabled with the corresponding options.

       -i INTERFACE, --interface INTERFACE
              This option specifies the  network  interface  that  the  tool  will  use.  If  the
              destination  address  ("-d"  option)  is  a  link-local address, or the "listening"
              ("-L") mode is selected, the interface must be explicitly specified. The  interface
              may also be specified along with a destination address, with the "-d" option.

       -s SRC_ADDR, --src-address SRC_ADDR

              This  option  specifies the IPv6 source address (or IPv6 prefix) to be used for the
              Source Address of the attack packets. If an IPv6  prefix  is  specified,  the  IPv6
              Source Address of the ICMPv6 packets will be randomized from the specified prefix.

              Note:  When  operating  in  "listening"  mode,  the Source Address is automatically
              selected depending on the IPv6 Destination Address of the ICMPv6 NI Query (unless a
              specific IPv6 Source Address has been specified with the "-s" option).

       -d DST_ADDR, --dst-address DST_ADDR

              This  option  specifies  the IPv6 Destination Address of the victim. It can be left
              unspecified only if the "-L" option is selected (i.e., if the tool is to operate in
              "listening" mode).

              Note:  When operating in "listening" mode, the Destination Address is automatically
              set to the Source Address of the incoming ICMPv6 NI Query message.

       --hop-limit, -A

              This option specifies the Hop Limit  to  be  used  for  the  IPv6  packets.  It  is
              randomized by default.

       -y SIZE, --frag-hdr SIZE

              This  option  specifies  that the resulting packet must be fragmented. The fragment
              size must be specified as an argument to this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

              This option specifies that a Destination Options header is to be  included  in  the
              resulting  packet.  The  extension  header size must be specified as an argument to
              this option (the header is  filled  with  padding  options).  Multiple  Destination
              Options headers may be specified by means of multiple "-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

              This  option  specifies  a  Destination  Options  header  to  be  included  in  the
              "unfragmentable part" of the resulting packet. The header size must be specified as
              an  argument  to  this option (the header is filled with padding options). Multiple
              Destination Options headers may be specified by means  of  multiple  "-U"  options.
              This  option  is  only  valid  if  the  "-y" option is specified (as the concept of
              "unfragmentable part" only makes sense when fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

              This option specifies that a Hop-by-Hop Options header is to  be  included  in  the
              resulting  packet.  The header size must be specified as an argument to this option
              (the header is filled with padding options). Multiple  Hop-by-Hop  Options  headers
              may be specified by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

              This  option  specifies  the link-layer Source Address of the TCP segments. If left
              unspecified, the link-layer Source Address is set to the real link-layer address of
              the network interface.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

              This  option specifies the link-layer Destination Address of the ICMPv6 NI packets.
              By default,  the  link-layer  Destination  Address  is  automatically  set  to  the
              link-layer  address  of  the  destination host (for on-link destinations) or to the
              link-layer of the first-hop router.

       --payload-size, -P

              This options specifies the size (in bytes) of the ICMPv6 NI payload.

       --subject-ipv6, -6

              This option specifies an IPv6 Address to be used as  the  Subject  of  ICMPv6  Node
              Information Query messages.

       --subject-ipv4, -4

              This  option  specifies  an  IPv4  Address to be used as the Subject of ICMPv6 Node
              Information Query messages.

       --subject-name, -n

              This option specifies a Name to be used as the Subject of ICMPv6  Node  Information
              Query  messages.  By  default,  the  specified  name  is  considered to be a Fully-
              Qualified Domain Name (FQDN).   Please  consult  the  "--sname-slabel"  option  for
              instructions on how to specify "single-label" names.

       --subject-fname, -N

              This  option  instructs the ni6 tool to set the Subject of ICMPv6 NI Query messages
              to a forged  name of the specified length.

              Note: The forged name is a sequence of labels of 'a' characters, with  the  maximum
              label size being specified by means of the "--max-label-size" option.

       --subject-ename, -x

              This option instructs the ni6 tool to set the Subject of an ICMPv6 NI Query message
              to a malformed label of the specified length. This option is useful for including a
              malformed label that "spans past the end of the ICMPv6 NI Query".

       --subject-nloop, -O

              This  option  specifies that the Data field should be set to a Name that contains a
              DNS compression loop. The loop type is  specified  with  this  option,  with  valid
              values being in the range 0-1.

       --sname-slabel, -e

              This  option  specifies that the specified Subject Name is a single-label name, and
              hence should be terminated with two (rather than one) NULL labels.

       --max-label-size, -Z

              This option specifies the maximum Name label size. It defaults to 63.

       --code, -C

              This option specified the ICMPv6 code. For ICMPv6 NI Query  messages,  if  specific
              Subject   type   is  specified,  the  ICMPv6  code  is  automatically  set  to  the
              corresponding value.

       --qtype, -q

              This option specifies the Qtype value of ICMPv6 NI messages. For  ICMPv6  NI  Reply
              messages, if specific Data type is specified, the ICMPv6 Qtype is automatically set
              to the corresponding value.

       --flags, -X

              This option specified the "Flags" field of the ICMPv6 NI messages.

              For ICMPv6 NI Query messages of Qtype 3 (Node IPv6 Addresses),  the  "Flags"  field
              defaults to "GSLCA". For ICMPv6 NI Query messages of Qtype 4 (Node IPv4 Addresses),
              the "Flags" field defaults to "A". For other ICMPv6 NI Query messages  it  defaults
              to   0.   For  ICMPv6  Reply  messages,  the  "Flags"  field  is  copied  from  the
              corresponding ICMPv6 NI Query message.

       --data-ipv6, -w

              This option specifies an IPv6 Address to  be  used  as  the  Data  of  ICMPv6  Node
              Information Reply messages.

       --data-ipv4, -W

              This  option  specifies  an  IPv4  Address  to  be  used as the Data of ICMPv6 Node
              Information Reply messages.

       --data-name, -a

              This option specifies a Name to be used as the  Data  of  ICMPv6  Node  Information
              Reply  messages.  By  default,  the  specified  name  is  considered to be a Fully-
              Qualified Domain Name (FQDN).   Please  consult  the  "--dname-slabel"  option  for
              instructions on how to specify "single-label" names.

       --data-fname, -A

              This  option instructs the ni6 tool to set the Data of the ICMPv6 NI Reply messages
              to a forged  name of the specified length.

              Note: The forged name is a sequence of labels of 'a' characters, with  the  maximum
              label size being specified by means of the "--max-label-size" option.

       --data-ename, -Q

              This option instructs the ni6 tool to set the Data of ICMPv6 NI Reply messages to a
              malformed label of the specified length. This option  is  useful  for  including  a
              malformed label that "spans past the end of the ICMPv6 NI Reply".

       --data-nloop, -O

              This  option  specifies that the Data field should be set to a Name that contains a
              DNS compression loop. The loop type is  specified  with  this  option,  with  valid
              values being in the range 0-2.

       --dname-slabel, -E

              This  option  specifies  that  the  specified Data Name is a single-label name, and
              hence should be terminated with two (rather than one) NULL labels.

       -j SRC_ADDR, --block-src SRC_ADDR

              This option sets a block filter for the  incoming  packets,  based  on  their  IPv6
              Source  Address.  It  allows  the  specification  of an IPv6 prefix in the form "-j
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is  selected  (i.e.,  the option assumes that a single IPv6 address, rather than an
              IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst DST_ADDR

              This option sets a block filter for the incoming  Neighbor  Solicitation  messages,
              based  on  their  IPv6  Destination Address. It allows the specification of an IPv6
              prefix in the form "-k prefix/prefixlen". If the prefix length is not specified,  a
              prefix  length  of  "/128" is selected (i.e., the option assumes that a single IPv6
              address, rather than an IPv6 prefix, has been specified).

       -J SRC_ADDR, --block-link-src SRC_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Source Address. The option must be followed by a link-layer address (this option is
              only valid for Ethernet interfaces).

       -K DST_ADDR, --block-link-dst DST_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Destination  Address.  The  option  must  be followed by a link-layer address (this
              option is only valid for Ethernet interfaces).

       -b SRC_ADDR, --accept-src SRC_ADDR

              This option sets an accept filter for the incoming packets,  based  on  their  IPv6
              Source  Address.  It  allows  the  specification  of an IPv6 prefix in the form "-b
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is  selected  (i.e.,  the option assumes that a single IPv6 address, rather than an
              IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

              This option sets a accept filter for the incoming  packets,  based  on  their  IPv6
              Destination  Address. It allows the specification of an IPv6 prefix in the form "-g
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is  selected  (i.e.,  the option assumes that a single IPv6 address, rather than an
              IPv6 prefix, has been specified).

       -B SRC_ADDR, --accept-link-src SRC_ADDR

              This option sets an accept filter for the incoming Neighbor Solicitation  messages,
              based  on  their  link-layer  Source  Address.  The  option  must  be followed by a
              link-layer address (this option is only valid for Ethernet interfaces).

       -G DST_ADDR, --accept-link-dst DST_ADDR

              This option sets an  accept  filter  for  the  incoming  packets,  based  on  their
              link-layer Destination Address. The option must be followed by a link-layer address
              (this option is only valid for Ethernet interfaces).

       --forge-src-addr, -r

              This option instructs the ni6 tool to forge the IPv6 Source Address  of  ICMPv6  NI
              messages.  Note that when operating in listening mode, unless this tool is set, ni6
              will not impersonate other nodes.

       --forge-link-src-addr, -R

              This option instructs the ni6 tool to forge the link-layer Source Address of ICMPv6
              NI messages.

              Note:  Some  interface  cards (or their corresponding drivers) may silently discard
              packets that contain a forged link-layer Source Address.

       --loop, -l

              This option instructs the tcp6 tool to send periodic TCP  segments  to  the  victim
              node.  The amount of time to pause between sending TCP segments can be specified by
              means of the "-z" option, and defaults to 1 second. Note that this option cannot be
              set in conjunction with the "-L" ("--listen") option.

       --sleep, -z

              This  option  specifies  the  amount  of  time to pause between sending ICMPv6 Node
              Information Query messages (when the "--loop" option is set). If left  unspecified,
              it defaults to 1 second.

       --listen, -L

              This  instructs the ni6 tool to operate in listening mode (possibly after attacking
              a specified target). Note that this option cannot be used in conjunction  with  the
              "-l" ("--loop") option.

       --verbose, -v

              This  option  instructs  the ni6 tool to be verbose.  When the option is set twice,
              the tool is "very verbose", and the tool  also  informs  which  packets  have  been
              discarded as a result of applying the specified filters.

       --help, -h

              Print help information for the ni6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the ni6 tool.

       Example #1

       # ni6 -i eth0 --subject-ipv6 ff02::1 -d ff02::1 -q 2 -v

       Send an ICMPv6 Node Information Query to the multicast address ff02::1 ("-d" option), with
       a Subject IPv6 Address of "ff02::1" ("--subject-ipv6" option),  querying  for  Node  names
       ("-q" option). Be verbose.

       Example #2

       # ni6 -i eth0 --data-fname 1000 -L --forge-src-addr -v

       Listen  to  incoming  ICMPv6  Node Information Query messages querying for node names, and
       respond with ICMPv6 NI Reply messages that contain a forged name of 700 bytes.  Forge  the
       IPv6 Source Address of the packets. Be verbose.

AUTHOR

       The  ni6  tool  and  the  corresponding  manual  pages  were  produced  by  Fernando  Gont
       <fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.

COPYRIGHT

       Copyright (c) 2011-2013 Fernando Gont.

       Permission is granted to copy, distribute and/or modify this document under the  terms  of
       the GNU Free Documentation License, Version 1.3 or any later version published by the Free
       Software Foundation; with no Invariant Sections, no Front-Cover Texts, and  no  Back-Cover
       Texts.  A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.

                                                                                           NI6(1)