Provided by: ipv6toolkit_2.0+ds.1-2build2_amd64 bug

NAME

       icmp6 - A security assessment tool for attack vectors based on ICMPv6 packets

SYNOPSIS

       icmp6  [-i  INTERFACE]  [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S LINK_SRC_ADDR] [-D LINK-DST-
       ADDR] [-c HOP_LIMIT] [-y FRAG_SIZE]  [-u  DST_OPT_HDR_SIZE]  [-U  DST_OPT_U_HDR_SIZE]  [-H
       HBH_OPT_HDR_SIZE]  [-t  TYPE[:CODE]  | -e CODE | -A CODE -V CODE -R CODE] [-r TARGET_ADDR]
       [-x PEER_ADDR] [-c HOP_LIMIT] [-m MTU] [-O POINTER] [-p  PAYLOAD_TYPE]  [-P  PAYLOAD_SIZE]
       [-n] [-a SRC_PORTL[:SRC_PORTH]] [-o DST_PORTL[:DST_PORTH]] [-X TCP_FLAGS] [-q TCP_SEQ] [-Q
       TCP_ACK] [-V TCP_URP] [-w TCP_WIN] [-M] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR]
       [-K  LINK_ADDR] [-b PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B LINK_ADDR] [-G LINK_ADDR] [-f] [-L
       | -l] [-z] [-v] [-h]

DESCRIPTION

       icmp6 allows the assessment of IPv6 implementations with respect to a  variety  of  attack
       vectors  based  on  ICMPv6 error messages. It is part of the SI6 Networks' IPv6 Toolkit: a
       security assessment suite for the IPv6 Protocols.

       This tool has two modes of operation: "active" and "listening". In active mode,  the  tool
       attacks  a specific target without listening to any incoming traffic, while in "listening"
       mode the tool listens to traffic on the local network, and launches an attack in  response
       to  such  traffic.  Active  mode  is employed if an IPv6 Destination Address is specified.
       "Listening" mode is employed if the "-L" option (or its long  counterpart  "--listen")  is
       set.  If  both  an attack target and the "-L" option are specified, the attack is launched
       against the specified target, and  then  the  tool  enters  "listening"  mode  to  respond
       incoming packets with ICMPv6 error messages.

       The  tool supports filtering of incoming packets based on the Ethernet Source Address, the
       Ethernet Destination Address, the IPv6 Source Address, and the IPv6  Destination  Address.
       There  are  two  types  of  filters:  "block  filters" and "accept filters". If any "block
       filter" is specified, and the incoming packet matches any of those filters, the message is
       discarded (and thus no ICMPv6 error messages are sent in response). If any "accept filter"
       is specified, incoming packets must match the specified filters in order for the  tool  to
       respond with ICMPv6 error messages.

OPTIONS

       icmp6  takes  its parameters as command-line options. Each of the options can be specified
       with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
       a long name (a string preceded with two hyphen characters, as e.g. "--interface").

       The  icmp6  tool  supports IPv6 fragmentation, which might be of use to circumvent layer-2
       filtering and/or Network Intrusion Detection Systems (NIDS). However,  IPv6  fragmentation
       is not enabled by default, and must be explicitly enabled with the "-y" option.

       -i INTERFACE, --interface INTERFACE
              This  option  specifies  the  network  interface  that  the  tool  will use. If the
              destination address ("-d" option) is  a  link-local  address,  or  the  "listening"
              ("-L")  mode is selected, the interface must be explicitly specified. The interface
              may also be specified along with a destination address, with the "-d" option.

       -s SRC_ADDR, --src-address SRC_ADDR

              This option specifies the IPv6 source address (or IPv6 prefix) to be used  for  the
              Source  Address of the attack packets. If a prefix is specified, the Source Address
              is randomly selected from that prefix. If this option is left unspecified, the IPv6
              Source Address of the attack packets is randomly selected from the prefix ::/0.

       -d DST_ADDR, --dst-address DST_ADDR

              This  option  specifies  the IPv6 Destination Address of the victim. It can be left
              unspecified only if the "-L" option is selected (that is, if the tool is to operate
              in "listening" mode).

              When  operating  in "listening" mode ("-L" option), the IPv6 Destination Address is
              selected according to the IPv6 Source Address of the incoming packet.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

              This option specifies the link-layer Source Address of the attack packets. If  left
              unspecified, the link-layer Source Address is randomized.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

              This  option specifies the link-layer Destination Address of the attack packets. If
              left  unspecified,  it  is  set  to  that  of  the  local  router  (for   non-local
              destinations) or to that corresponding to the destination host (for local hosts).

              When  operating  in  "listening" mode, the link-layer Destination Address is set to
              the link-layer Source Address of the incoming packet.

       -c HOP_LIMIT, --hop-limit HOP_LIMIT

              This option specifies the Hop Limit to be used for the Redirect messages.  If  this
              option  is  left unspecified, the Hop Limit is randomized to a value between 64 and
              243.

       -y SIZE, --frag-hdr SIZE

              This option specifies that the  ICMPv6  error  messages  must  be  fragmented.  The
              fragment size must be specified as an argument to this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

              This  option  specifies  that a Destination Options header is to be included in the
              outgoing packet(s). The extension header size must be specified as an  argument  to
              this  option  (the  header  is  filled  with padding options). Multiple Destination
              Options headers may be specified by means of multiple "-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

              This  option  specifies  a  Destination  Options  header  to  be  included  in  the
              "unfragmentable  part" of the outgoing packet(s). The header size must be specified
              as an argument to this option (the header is filled with padding options). Multiple
              Destination Options headers may be specified by means of multiple "-U" options.

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

              This  option  specifies  that  a Hop-by-Hop Options header is to be included in the
              outgoing packet(s). The header size must be specified as an argument to this option
              (the  header  is  filled with padding options). Multiple Hop-by-Hop Options headers
              may be specified by means of multiple "-H" options.

       -t TYPE, --icmp6 TYPE

              This option specifies the Type and Code of the ICMPv6 error  message  in  the  form
              "--icmp6  TYPE:CODE".  If  left  unspecified,  the ICMPv6 error message defaults to
              "Parameter Problem, Erroneous header field encountered" (Type 4, Code 0).

              Note: Other options (such as  "--icmp6-unreachable")  provide  an  alternative  for
              setting the ICMPv6 Type and Code.

       -e, --icmp6-dest-unreach

              This  option  sets the ICMPv6 Type to "1" (Destination Unreachable), and allows the
              user to specify the ICMPv6 Code, in the form "--icmp6-dest-unreach CODE".

              Note: this option is an alternative to the "-t" option for setting the ICMPv6  Type
              and Code.

       -E, --icmp6-packet-too-big

              This  option  sets  the  ICMPv6 Type to "1", and the ICMPv6 Code to "0" (Packet Too
              Big).

              Note: this option is an alternative to the "-t" option for setting the ICMPv6  Type
              and Code.

       -A, --icmp6-time-exceeded

              This  option  sets  the  ICMPv6 Type to "3" (Time Exceeded), and allows the user to
              specify the ICMPv6 Code, in the form "--icmp6-time-exceeded CODE".

              Note: this option is an alternative to the "-t" option for setting the ICMPv6  Type
              and Code.

       -R, --icmp6-param-problem

              This option sets the ICMPv6 Type to "4" (Parameter Problem), and allows the user to
              specify the ICMPv6 Code, in the form "--icmp6-param-problem CODE".

              Note: this option is an alternative to the "-t" option for setting the ICMPv6  Type
              and Code.

       -m MTU, --mtu MTU

              This  specifies  the  value  of  the  "MTU"  field  of  ICMPv6 Packet Too Big error
              messages.

       -O POINTER, --pointer POINTER

              This option specifies the value of the "Pointer" field of ICMPv6 Parameter  Problem
              error messages.

       -p TYPE, --payload-type TYPE

              This  option  specifies  the  payload  type  to  be included in the ICMPv6 Payload.
              Currently supported payloads  are  "TCP",  "UDP",  and  "ICMP6".  The  payload-type
              defaults to "TCP".

              When  the  tool  operates  in  "Listening"  mode, this option specifies the type of
              packets the tool will listen to. In listening  mode,  an  additional  type  can  be
              specified: "IP6"; this will cause the tool to listen to all IPv6 traffic.

       -P SIZE, --payload-size SIZE

              Size  of  the  payload  to be included in the ICMPv6 Payload (with the payload type
              being specified by the "-p" option). By default, as  many  bytes  as  possible  are
              included, without exceeding the minimum IPv6 MTU (1280 bytes).

       -n, --no-payload

              This  option  specifies  that no payload should be included within the ICMPv6 error
              message.

       -C HOP_LIMIT, --ipv6-hlim HOP_LIMIT

              This option specifies the Hop Limit of the IPv6 packet included in the  payload  of
              the  ICMPv6  error  message.  If  this option is left unspecified, the Hop Limit is
              randomized to a value between 64 and  243.

       -r ADDRESS, --target-addr ADDRESS

              This option specifies the Source Address of the IPv6 packet that is embedded in the
              ICMPv6  error  message.  If  left unspecified, it is set to the same address as the
              IPv6 Destination Address of the outer packet.

              When operating in "Listening mode", the tool automatically embeds a  piece  of  the
              received packet (unless otherwise specified by the "-n" option), and hence the IPv6
              Source Address of the embedded IPv6 packet is set accordingly.

       -x ADDRESS, --peer-addr ADDRESS

              This option specifies the Destination Address of the IPv6 packet that  is  embedded
              in the ICMPv6 error message. If left unspecified, it is set to a random value.

              When  operating  in  "Listening mode", the tool automatically embeds a piece of the
              received packet (unless otherwise specified by the "-n" option), and hence the IPv6
              Destination Address of the embedded IPv6 packet is set accordingly.

              Note:  since  the  victim  host  is expected to check that the ICMPv6 error message
              corresponds to an ongoing communication instance, when operating in "active  mode",
              this  option  should be set to a value that corresponds to an ongoing communication
              instance.

       -o PORT, --target-port PORT

              This option specifies the Source Port of the TCP or UDP  packet  contained  in  the
              ICMPv6  Payload. If a port range is specified in the form "-o LOWPORT:HIGHPORT" the
              tool will send one ICMPv6 error message for each port in that range.

              Note: This option is meaningful only if "TCP" or "UDP" have  been  specified  (with
              the "-p" option).

       -a PORT, --peer-port PORT

              This  option  specifies  the Destination Port of the TCP or UDP packet contained in
              the ICMPv6 Payload. If a port range is specified in the form "-o  LOWPORT:HIGHPORT"
              the tool will send one ICMPv6 error message for each port in that range.

              Note:  This  option  is meaningful only if "TCP" or "UDP" have been specified (with
              the "-p" option).

       -X TCP_FLAGS, --tcp-flags TCP_FLAGS

              This option specifies the flags of the TCP header contained in the ICMPv6  Payload.
              The  flags  are specified as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK),
              "U" (URG), "X" (no flags). If left unspecified, only the "ACK" bit is set.

              Note: This option is meaningful only if "TCP" has been  specified  (with  the  "-p"
              option).

       -q SEQ_NUMBER, --tcp-seq SEQ_NUMBER

              This option specifies the Sequence Number of the TCP header contained in the ICMPv6
              Payload. If left unspecified, the Sequence Number is randomized.

              Note: This option is meaningful only if "TCP" has been  specified  (with  the  "-p"
              option).

       -Q ACK_NUMBER, --tcp-ack ACK_NUMBER

              This  option specifies the Acknowledgment Number of the TCP header contained in the
              ICMPv6  Payload. If left unspecified, the Acknowledgment Number is randomized.

              Note: This option is meaningful only if "TCP" has been  specified  (with  the  "-p"
              option).

       -V URG_POINTER, --tcp-urg URG_POINTER

              This  option specifies the Urgent Pointer of the TCP header contained in the ICMPv6
              Payload. If left unspecified, the Urgent Pointer is set to 0.

              Note: This option is meaningful only if "TCP" has been  specified  (with  the  "-p"
              option).

       -w TCP_WIN, --tcp-win TCP_WIN

              This option specifies the Window of the TCP header contained in the ICMPv6 Payload.
              If left unspecified, the Window is randomized.

              Note: This option is meaningful only if "TCP" has been  specified  (with  the  "-p"
              option).

       -j SRC_ADDR, --block-src SRC_ADDR

              This  option  sets  a  block  filter  for the incoming packets, based on their IPv6
              Source Address. It allows the specification of an  IPv6  prefix  in  the  form  "-j
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst DST_ADDR

              This  option  sets  a block filter for the incoming Neighbor Solicitation messages,
              based on their IPv6 Destination Address. It allows the  specification  of  an  IPv6
              prefix  in the form "-k prefix/prefixlen". If the prefix length is not specified, a
              prefix length of "/128" is selected (i.e., the option assumes that  a  single  IPv6
              address, rather than an IPv6 prefix, has been specified).

       -J SRC_ADDR, --block-link-src SRC_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Source Address. The option must be followed by  a  link-layer  address  (currently,
              only Ethernet is supported).

       -K DST_ADDR, --block-link-dst DST_ADDR

              This option sets a block filter for the incoming packets, based on their link-layer
              Destination  Address.  The  option  must  be  followed  by  a  link-layer   address
              (currently, only Ethernet is supported).

       -b SRC_ADDR, --accept-src SRC_ADDR

              This  option  sets  an  accept filter for the incoming packets, based on their IPv6
              Source Address. It allows the specification of an  IPv6  prefix  in  the  form  "-b
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

              This  option  sets  a  accept  filter for the incoming packets, based on their IPv6
              Destination Address. It allows the specification of an IPv6 prefix in the form  "-g
              prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
              is selected (i.e., the option assumes that a single IPv6 address,  rather  than  an
              IPv6 prefix, has been specified).

       -B SRC_ADDR, --accept-link-src SRC_ADDR

              This  option sets an accept filter for the incoming Neighbor Solicitation messages,
              based on their link-layer  Source  Address.  The  option  must  be  followed  by  a
              link-layer address (currently, only Ethernet is supported).

       -G DST_ADDR, --accept-link-dst DST_ADDR

              This  option  sets  an  accept  filter  for  the  incoming  packets, based on their
              link-layer Destination Address. The option must be followed by a link-layer address
              (currently, only Ethernet is supported).

       -f, --sanity-filters

              This  option automatically adds a "block filter" for the IPv6 Source Address of the
              packets.

              Note: This option may be desirable when the tool operates in "Listening  mode"  and
              is  instructed to listen to "ICMP6" or "IP6" packets (thus possibly avoiding packet
              loops).

       -l, --loop

              This option instructs the icmp6 tool to send periodic ICMPv6 error messages to  the
              victim  node. The amount of time to pause between sending ICMPv6 error messages can
              be specified by means of the "-z" option, and defaults to 1 second. Note that  this
              option cannot be set in conjunction with the "-L" ("--listen") option.

       -z, --sleep

              This  option  specifies  the  amount  of time to pause between sending ICMPv6 error
              messages (when the "--loop" option is set). If left unspecified, it defaults  to  1
              second.

       -L, --listen

              This  instructs  the  icmp6  tool  to  operate  in "Listening" mode (possibly after
              attacking a given node). Note that this option cannot be used in  conjunction  with
              the "-l" ("--loop") option.

       -v, --verbose

              This  option instructs the icmp6 tool to be verbose.  When the option is set twice,
              the tool is "very verbose", and the tool  also  informs  which  packets  have  been
              accepted or discarded as a result of applying the specified filters.

       -h, --help

              Print help information for the icmp6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the icmp6 tool.

       Example #1

       # icmp6 -i eth0 -L -p TCP -v

       The  tool  employs  the  network  interface "eth0", and operates in "Listening" mode ("-L"
       option). Each ICMPv6 error message will contain the ICMPv6 Payload as many bytes from  the
       captured  packet  without exceeding the minimum IPv6 MTU (1280 bytes). The tool will print
       detailed information about the attack ("-v" option).

       Example #2

       # icmp6 --icmp6-packet-too-big -p ICMP6 -d 2001:db8:10::1  --peer-addr  2001:db8:11::2  -m
       1240 -v

       The  tool  will send an ICMPv6 Packet Too Big error message that advertises an MTU of 1240
       bytes. The ICMPv6 error message will be sent to the address " "2001:db8:10::1". The ICMPv6
       error  message  will  embed  an ICMPv6 Echo Request message with the Source Address set to
       "2001:db8:10::1" (i.e., Destination Address of the error  message),  and  the  Destination
       Address  set to "2001:db8:11::2) ("--peer-addr" option). The value of the "Identifier" and
       "Sequence Number" fields of the embedded ICMPv6 Echo Request message will  be  randomized.
       The tool will provide detailed information about the attack ("-v" option).

SEE ALSO

       RFC   5927   (available   at  <http://www.rfc-editor.org/rfc/rfc5927.txt>)  and  "Security
       Assessment   of   the    Transmission    Control    Protocol    (TCP)"    (available    at
       <http://www.si6networks.com/publications/tn-03-09-security-assessment-TCP.pdf>)    for   a
       discussion of ICMPv6 attacks against TCP.

AUTHOR

       The icmp6 tool  and  the  corresponding  manual  pages  were  produced  by  Fernando  Gont
       <fgont@si6networks.com> for SI6 Networks.

COPYRIGHT

       Copyright (c) 2011-2013 Fernando Gont.

       Permission  is  granted to copy, distribute and/or modify this document under the terms of
       the GNU Free Documentation License, Version 1.3 or any later version published by the Free
       Software  Foundation;  with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts.  A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.

                                                                                         ICMP6(1)