Latest Change 10/11/2015 more helper bash scripts:
– dnsrevenum6.sh: scans the reverse DNS entries of the /48 of the ipv6 address on the responsible dns server.
– create_network_map.sh: Creates a GV file for use with Graphviz to create a network topology map file1 must have per line one entry only.
– dnssecwalk.sh: will try dnssecwalk on all nameservers until one is found, or all if -a is given as option.
– trace62list.sh: Prepares a trace6 output file for the network topology map generation tool.
– axfr.sh : data is saved to domain-ns.zone.
– data is saved to $domain-$ns.zone, if there are dns soa problems and the prefix length is not 48 you can specify it as an extra option on the command line.
NOTE: More tools exist, but are only handed out to specific people who develop ipv6 security/pentest tools themselves, or support the thc-ipv6 toolkit development. If this matches *you* send me an email to vh (at) thc (dot) org , with “thc-ipv6 antispam” in the subject line.
* TCP Fast Open support (22/06/2015)
– option -X removes router entry from targets on exit (patch from Dan Luedtke, thanks)
– Fix – the source mac was always null bytes without evasion, thank to Christopher Werny for reporting
– option -m generates maximum size packets
– fixed route option parsing
– added -O TCP Fast Open cookie request option
– added -O TCP Fast Open fake cookie sending option
– will now print the known MTU path to the destination upon succesful connect
* Renamed dos_mld.sh to dos_mld6.sh and local_discovery.sh to local_discovery6.sh
This code was inspired when I got into touch with IPv6, learned more and more about it – and then found no tools to play (read: “hack”) around with. First I tried to implement things with libnet, but then found out that the IPv6 implementation is only partial – and sucks. I tried to add the missing code, but well, it was not so easy, hence I saved my time and quickly wrote my own library.
This code currently only runs on:
– Linux 2.6.x or newer (because of /proc usage)
But this means for all linux guys that it will work for 98% of your use cases.
Patches are welcome! (add “antispam” in the subject line to get through my
anti-spam protection, otherwise the email will bounce)
The THC IPV6 ATTACK TOOLKIT comes already with lots of effective attacking tools:
– parasite6: ICMPv6 neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
– alive6: an effective alive scanng, which will detect all systems listening to this address
– dnsdict6: parallized DNS IPv6 dictionary bruteforcer
– fake_router6: announce yourself as a router on the network, with the highest priority
– redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever ICMPv6 redirect spoofer
– toobig6: mtu decreaser with the same intelligence as redir6
– detect-new-ip6: detect new IPv6 devices which join the network, you can run a script to automatically scan these systems etc.
– dos-new-ip6: detect new IPv6 devices and tell them that their chosen IP collides on the network (DOS).
– trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
– flood_router6: flood a target with random router advertisements
– flood_advertise6: flood a target with random neighbor advertisements
– fuzz_ip6: fuzzer for IPv6
– implementation6: performs various implementation checks on IPv6
– implementation6d: listen daemon for implementation6 to check behind a FW
– fake_mld6: announce yourself in a multicast group of your choice on the net
– fake_mld26: same but for MLDv2
– fake_mldrouter6: fake MLD router messages
– fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
– fake_advertiser6: announce yourself on the network
– smurf6: local smurfer
– rsmurf6: remote smurfer, known to work only against linux at the moment
– exploit6: known IPv6 vulnerabilities to test against a target
– denial6: a collection of denial-of-service tests againsts a target
– thcping6: sends a hand crafted ping6 packet
– sendpees6: a tool by email@example.com, which generates a neighbor
solicitation requests with a lot of CGAs (crypto stuff 😉 to keep the
CPU busy. nice.
and about 25 more tools for you to discover 🙂
Just run the tools without options and they will give you help and show the
command line options.
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to ICMPv6 neighbor solitications which
are sent to a non-existing mac, and are therefore very easy to detect).
– git clone https://github.com/vanhauser-thc/thc-ipv6
– cd thc-ipv6
– or run bash script helper