Provided by: thc-ipv6_2.5-3_amd64 bug


       The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6)


       tool [options] ...

              This  manual  page  briefly  documents  each  of the attack-toolkit6 tools. Not all
              options are listed here, to see the full list of options of each tool please invoke
              them with -h.

              Note  that  on  Debian (if you read this on Debian) command names are prefixed with
              atk6- , so for example the tool alive6 should be invoked as atk6-alive6.  This is a
              Debian-only modification.

       address6 <mac-address/ipv4-address/ipv6-address> [ipv6-prefix]
              Converts a mac or ipv4 address to an ipv6 address (link local if no prefix is given
              as 2nd option) or, when given an ipv6 address, prints  the  mac  or  ipv4  address.
              Prints  all  possible  variations. Returns -1 on errors or the number of variations

       alive6 <interface> [unicast-or-multicast-address [remote-router]]
              Shows alive addresses in the segment. If you specify a remote router,  the  packets
              are sent with a routing header prefixed by fragmentation.

       covert_send6 <interface> <target> <file> [port]
              Sends the content of FILE covertly to the target.

       covert_send6d <interface> <file>
              Writes received covertly content to FILE.

       denial6 <interface> <destination> <test-case-number>
              Performs various denial of service attacks on a target.

       detect_sniffer6 <interface> [target-ip]
              Tests  if systems on the local LAN are sniffing. Works against Windows, Linux, OS/X
              and *BSD systems.

       dnssecwalk [-e46] <dns-server> <domain>
              Performs DNSSEC NSEC walking.

       dos_mld <interface>
              This tools prevents new ipv6 interfaces to come up, by sending answers to duplicate
              ip6 checks (DAD). This results in a DOS for new ipv6 devices.

       dos-new-ip6 <interface>
              This tools prevents new ipv6 interfaces to come up, by sending answers to duplicate
              ip6 checks (DAD). This results in a DOS for new ipv6 devices.

       detect-new-ip6 <interface> [scriptname]
              This tools detects new ipv6 addresses joining the local network.  If scriptname  is
              supplied, it is executed with the detected IPv6 address as option.

       dnsdict6 [-t THREADS] <domain> [dictionary-file]
              Enumerates  a  domain  for  DNS entries, it uses a dictionary file if supplied or a
              built-in list otherwise.

       dnsrevenum6 <dns-server> <ipv6-address>
              Performs a fast reverse DNS enumeration.

       dump_router6 <interface>
              Dumps all local routers and their information.

       dump_dhcp6 <interface>
              Dumps all DHCPv6 servers and their information

       exploit6 <interface> <destination> [test-case-number]
              Performs exploits of various CVE known IPv6 vulnerabilities on the destination.

       extract_hosts6 <file>
              Prints the host parts of ipv6 addresses in file.

       extract_networks6 <interface>
              Prints the networks found in file.

       fake_advertise6 <interface> <ip-address> [target-address [own-mac-address]]
              Advertise ipv6 address on the network (with own mac if not defined) sending  it  to
              the all-nodes multicast address if no target specified.

       fake_dhcps6 <interface> <network-address/prefix-length> <dns-server>
              Fake DHCPv6 server. Used to configure an address and set a DNS server.

       fake_dns6d <interface> <ipv6-address>
              Fake DNS server that serves the same IPv6 address to any lookup request.

       fake_dnsupdate6 <dns-server> <fqdn> <ipv6-address>
              Send false DNS update requests.

       fake_mipv6 <interface> <home-address> <home-agent-address> <care-of-address>
              If  the  mobile  IPv6  home-agent is mis-configured to accept MIPV6 updates without
              IPSEC, this will redirect all packets for home-address to care-of-address.

       fake_mld6 <interface> <multicast-address>  [[target-address]  [[ttl]  [[own-ip]  [own-mac-
              Advertise yourself in a multicast group of your choice.

       fake_mld26  [-l]  <interface>  <add|delete|query>  [multicast-address [target-address [ttl
       [own-ip [own-mac-address [destination-mac-address]]]]]]
              This uses the MLDv2 protocol. Only a subset of what the protocol is able to  do  is
              possible to implement via a command line.

       fake_mldrouter6   [-l]   <interface>  <advertise|solicitate|terminate>  [own-ip  [own-mac-
              Announce, delete or solicitate MLD router - yourself or others.

       fake_pim6 [-t ttl] [-s src6] [-d  dst6]  <interface>  {<hello>  [dr_priority]|{join|prune}
       <neighbor6> <multicast6> <target6>}
              The hello command takes optionally the DR priority (default: 0).

       fake_router6 <interface> <router-ip-link-local
              network-address/prefix-length>  <mtu>  [mac-address]  Announce yourself as a router
              and try to become the default router.  If a non-existing mac-address  is  supplied,
              this results in a DOS.

       fake_router26 <interface>
              Like fake_router6 with more options available.

       fake_solicitate6 <interface> <solicited-ip>
              Solicits  IPv6  address  on  the  network,  sending  it  to the all-nodes multicast

       firewall6 [-u] <interface> <destination> <port> [test-case-no]
              Performs various ACL bypass attempts to check  implementations.   Defaults  to  TCP
              ports,  option  -u switches to UDP.  For all test cases to work, ICMPv6 ping to the
              destination must be allowed.

       flood_advertise6 <interface>
              Flood the local network with neighbor advertisements.

       flood_dhcpc6 <interface> [domain-name]
              DHCP client flooder. Use to deplete the IP address pool a DHCP6 server is offering.
              Note: if the pool is very large, this is rather senseless.

       flood_mld6 <interface>
              Flood the local network with MLD reports.

       flood_mld26 <interface>
              Flood the local network with MLDv2 reports.

       flood_mldrouter6 <interface>
              Flood the local network with MLD router advertisements.

       flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]]
              Flood a target with ICMPv6 redirects

       flood_router6 <interface>
              Flood the local network with router advertisements.

       flood_router26 <interface>
              Similar to flood_router6 but with more options available.

       flood_rs6 [-sS] interface [target]
              Flood a network with ICMPv6 router solicitation messages

       flood_solicitate6 <interface> [target-ip]
              Flood the network with neighbor solicitations.

       four2six [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src ipv4-dst [port]
              Send (spoofed) packets over a 4to6 tunnel (IPv4 packets over IPv6 networks)

       fragmentation6 <interface> <target-ip>
              Performs fragment firewall and implementation checks, including denial-of-service.

       fuzz_dhcps6  [-x]  [-t  number  | -T number] [-p number] [-IFSDHRJ] [-1|-2|-3|-4|-5|-6|-7]
       <interface> <unicast-or-multicast-address> [address-in-data-pkt]
              Fuzzes an icmp6 packet.

       fuzz_dhcps6  [-t  number  |  -T  number]  [-e  number  |  -T  number]  [-p  number]  [-md]
       [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]
              Fuzzes  a  DHCPv6  server on specified packet types.  fuzz_ip6 [-x] [-t number | -T
              number] [-p  number]  [-IFSDHRJ]  [-1|-2|-3|-4|-5|-6|-7]  <interface>  <unicast-or-
              multicast-address> [address-in-data-pkt] Fuzzes an icmp6 packet.

       implementation6 <interface> <destination> [test-case-number]
              Performs some ipv6 implementation checks, can be used to test firewalls too.

       implementation6d <interface>
              Identifies  test  packets by the implementation6 tool, useful to check what packets
              passed a firewall.

       inject_alive6 [-ap] <interface>
              This tool answers to keep-alive requests on PPPoE and  6in4  tunnels;  for  PPPoE0t
              also  sends  keep-alive  requests.   Note that the appropriate environment variable
              THC_IPV6_{PPPOE|6IN4} must be set.  Option -a will  actively  send  alive  requests
              every 15 seconds.  Option -p will not send replies to alive requests.

       inverse_lookup6 <interface> <mac-address>
              Performs an inverse address query, to get the IPv6 addresses that are assigned to a
              MAC address. Note that only few systems support this yet.

       kill_router6 <interface> <target-ip>
              Announce that target router is going down to delete it from the routing tables.  If
              you  supply  a  '*'  as  target-ip,  this  tool  will sniff the network for RAs and
              immediately send the kill packet.

       ndpexhaust26 <interface> [-acpPTUrR] [-s sourceip6] <target-network>
              Flood the target /64 network with ICMPv6 TooBig error messages.  This tool  version
              is  manyfold more effective than ndpexhaust6.  -a      add a hop-by-hop header with
              router alert.  -c      do not calculate the checksum to save  time.   -p       send
              ICMPv6  Echo  Requests.  -P      send ICMPv6 Echo Reply.  -T      send ICMPv6 Time-
              to-live-exceeded.  -U      send ICMPv6 Unreachable (no route).   -r       randomize
              the source from your /64 prefix.  -R      randomize the source fully.  -s sourceip6
              use this as source ipv6 address.

       ndpexhaust6 <interface> <target-network>
              Randomly pings IPs in target network.

       node_query6 <interface> <target-ip>
              Sends an ICMPv6 node query request to the target and dumps the replies.

       parasite6 <interface> [fake-mac]
              This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system
              (or  nirvana  if  fake-mac  does  not  exist)  by  answering  falsely  to  Neighbor
              Solicitation requests, specifying FAKE-MAC results in a local DOS.

       passive_discovery6 <interface> [scriptname]
              Passively sniffs the network and dump all  client's  IPv6  addresses  detected.  If
              scriptname  is  supplied,  it is called with the detected IPv6 address as first and
              the interface as second parameters.

       randicmp6 <interface> <target-ip>
              Sends all ICMPv6 type and code combinations to target.

       redir6 <interface> <src-ip> <target-ip> <original-router> <new-router> [new-router-mac]
              Implant a route into src-ip, which redirects all traffic to  target-ip  to  new-ip.
              You  must know the router which would handle the route.  If the new-router-mac does
              not exist, this results in a DOS.

       redirsniff6 <interface> <victim-ip> <destination-ip> <original-router> [<new-router> [new-
              Implant  a  route  into victim-ip, which redirects all traffic to destination-ip to
              new-router. You must know the router which would handle the  route.   If  the  new-
              router and new-router-mac does not exist, this results in a DoS.

       rsmurf6 <interface> <victim-ip>
              Smurfs  the  local  network  of the victim. Note: this depends on an implementation
              error, currently only  verified  on  Linux  (fixed  in  current  versions).   Evil:
              "ff02::1" as victim will DOS your local LAN completely.

       smurf6 <interface> <victim-ip> [multicast-network-address]
              Smurf the target with ICMPv6 echo replies. Target of echo request is the local all-
              nodes multicast address if not specified.

       sendpees6 <interface> <key_length> <prefix> <victim-ip>
              Send SEND neighbor solicitation messages and make target to verify a lota  CGA  and
              RSA signatures.

       sendpeesmp6 <interface> <key_length> <prefix> <victim-ip>
              Multithreaded version of sendpees6.

       trace6 [-d] <interface> targetaddress [port]
              A basic but very fast traceroute6 program.

       thcping6 <interface> <src6> <dst6> <srcmac> <dstmac> <data>
              Craft your special ICMPv6 echo request packet.

       thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] <interface> <target> <port>
              Flood  the  target  port  with  TCP-SYN  packets.  If you supply "x" as port, it is

       toobig6 <interface> <target-ip> <existing-ip> <mtu>
              Implants the specified mtu on the target


       nmap(1), amap(1), dsniff(8).


       thc-ipv6 was written by van Hauser <> / THC

       The homepage for this toolkit is:

       This manual page was written by Maykel Moya <> and Arturo Borrero  Gonzalez
       <>,  for the Debian project (but may be used by others). It's
       based on previous work by Michael Gebetsroither <>.