Engage yourself in IPv6! Issue #2 - THC tools

Just dumping some shell output and comments today. :)
If you haven't read the first issue of this series of articles on IPv6, I'd recommend you read it first. 

 

IPv6 Attack Toolkit by THC (The Hacker's Choice)

You can download the tools here: http://www.thc.org/thc-ipv6/

Right now there is no ./configure script. Just type "make" to compile.

First time I tried to compile it on a netbook with Ubuntu 10.10 x86_64, make terminated with an error.

root@dirtybox:/home/me/Downloads/thc-ipv6-1.4# make
gcc -O2   -c -o thc-ipv6-lib.o thc-ipv6-lib.c
In file included from thc-ipv6-lib.c:40:
thc-ipv6.h:13: fatal error: openssl/rsa.h: No such file or directorycompilation terminated.
make: *** [thc-ipv6-lib.o] Error 1

So I installed libssl-dev using apt-get and after that, compilation succeeded.

So let's check out some of the tools that come with the toolkit.

Right now I have two netbooks for testing and an OpenWRT router. The router has an IPv6 tunnel with SixXS and also an IPv6 subnet assigned to it, which is advertised by radvd to the local network. Both netbooks receive the router advertisements and thus automatically configure themselves with a routable IPv6 address from that subnet, in addition to their automatically configured link local address. 

The following tools are included in the IPv6 Attack Toolkit (copied from the README file):







THE TOOLS

=========

The THC IPV6 ATTACK TOOLKIT comes already with lots of effective attacking

tools:

 - parasite6: icmp neighbor solitication/advertisement spoofer, puts you

   as man-in-the-middle, same as ARP mitm (and parasite)

 - alive6: an effective alive scanng, which will detect all systems

   listening to this address

 - dnsdict6: parallized dns ipv6 dictionary bruteforcer

 - fake_router6: announce yourself as a router on the network, with the

   highest priority

 - redir6: redirect traffic to you intelligently (man-in-the-middle) with

   a clever icmp6 redirect spoofer

 - toobig6: mtu decreaser with the same intelligence as redir6

 - detect-new-ip6: detect new ip6 devices which join the network, you can

   run a script to automatically scan these systems etc.

 - dos-new-ip6: detect new ip6 devices and tell them that their chosen IP

   collides on the network (DOS).

 - trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN

 - flood_router6: flood a target with random router advertisements

 - flood_advertise6: flood a target with random neighbor advertisements

 - fuzz_ip6: fuzzer for ipv6

 - implementation6: performs various implementation checks on ipv6

 - implementation6d: listen daemon for implementation6 to check behind a FW

 - fake_mld6: announce yourself in a multicast group of your choice on the net

 - fake_mld26: same but for MLDv2

 - fake_mldrouter6: fake MLD router messages

 - fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication

 - fake_advertiser6: announce yourself on the network

 - smurf6: local smurfer

 - rsmurf6: remote smurfer, known to work only against linux at the moment

 - exploit6: known ipv6 vulnerabilities to test against a target

 - denial6: a collection of denial-of-service tests againsts a target

 - thcping6: sends a hand crafted ping6 packet

 - sendpees6: a tool by willdamn@gmail.com, which generates a neighbor

   solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the

   CPU busy. nice.

Just run the tools without options and they will give you help and show the

command line options.

 

I'll only cover some of these here: 
- detect-new-ip6 
- alive6
- parasite6
- trace6

 

detect-new-ip6

This tool comes in handy if you want to monitor your network for new IPv6 nodes to become alive.
I started this on one netbook and then connected the second netbook to the LAN.
This is the output of the commands (addresses obfuscated):

root@dirtybox:/home/me/# detect-new-ip6 
detect-new-ip6 v1.4 (c) 2010 by van Hauser / THC <vh@thc.org> www.thc.org
Syntax: detect-new-ip6 interface [script]
This tools detects new ipv6 addresses joining the local network.If script is supplied, it is executed with the detected IPv6 address as option
root@dirtybox:/home/me/Downloads/thc-ipv6-1.4# detect-new-ip6 eth0
Started ICMP6 DAD detection (Press Control-C to end) ...
Detected new ip6 address: fe80::xxx:xxxx:xxxx:fe7d
Detected new ip6 address: 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d

 

You see, the detect-new-ipv6 detected both the new link local address that became active on the network as well as the routable ipv6 address of the new host.

 

alive6

 Alive6 allows you to check which IPv6 addresses are already active on your network.

root@dirtybox:/home/me/# alive6alive6 v1.4 (c) 2010 by van Hauser / THC <vh@thc.org> www.thc.org

Syntax: alive6 [-dlmrS] [-W TIME] [-i FILE] [-o FILE] [-s NUMBER] interface [unicast-or-multicast-address [remote-router]]

Shows alive addresses in the segment. If you specify a remote router, thepackets are sent with a routing header prefixed by fragmentation
Options:  
-i FILE    check systems from input file  
-o FILE    write results to output file  
-m         enumerate from hardware addresses in input fule  
-l         use link-local address instead of global address  
-r         use raw mode (for tunnels)  
-d         resolve alive ipv6 addresses  
-W TIME    time in ms to wait after sending a packet (default: 10)  
-S         slow mode, get best router for each remote target or when proxy-NA  
-n NUMBER  how often to send each packet (default: 1)  
-s NUMBER  scan type, bit-wise add: 1-ping, 2-invalid header,
           4-invalid hop-by-hop, 8-udp dns, 16-tcp ack highport,

           32-tcp syn ssh, 64-tcp syn web, 128-tcp syn ssl; default:5

root@dirtybox:/home/me/Downloads/thc-ipv6-1.4# alive6 eth0
Alive: 2001:xxxx:xxxx::1
Alive: 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d
Found 2 systems alive

 

parasite6 

Now we are entering the dark side of the toolkit. 
Wanna sniff some data? ;-)
Parasite6 is a man-in-the-middle tool. It spoofs icmp neighbor solicitations/advertisements.

Pretty much the same as good old ARP mitm.

 

Scenario: My second box 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d pings ipv6.google.com.
I mitm that traffic using parasite6 and thus am able to sniff that traffic.

 

root@dirtybox:/home/me/# parasite6 
parasite6 v1.4 (c) 2010 by van Hauser / THC <vh@thc.org> www.thc.org

Syntax: parasite6 interface [fake-mac]
This is an "ARP spoofer" for IPv6, redirecting all local traffic to your ownsystem
(or nirvana if fake-mac does not exist) by answering falsely to Neighbor Solitication requests
root@dirtybox:/home/me/Downloads/thc-ipv6-1.4# parasite6 eth0
Remember to enable routing (ip_forwarding), you will denial service otherwise!
Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...
Spoofed packet to fe80::xxxx:xxxx:xxxx:5f77 as 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d
Spoofed packet to fe80::xxxx:xxxx:xxxx:5f77 as 2001:xxxx:xxxx:x:xxxx:xxx:xxxx:40bc
Spoofed packet to fe80::xxxx:xxxx:xxxx:5f77 as 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d
Spoofed packet to fe80::xxxx:xxxx:xxxx:5f77 as 2001:xxxx:xxxx:x:xxxx:xxx:xxxx:40bc
Spoofed packet to fe80::xxxx:xxxx:xxxx:5f77 as 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d
Spoofed packet to fe80::xxxx:xxxx:xxxx:5f77 as 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d

 

Of course I forgot to enable ip_forwarding so I DoSed the target machine. ;-)
But I was able to sniff the traffic coming from and destined to that machine:

root@dirtybox:/home/me# tcpdump -i eth0 ip6 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet),
capture size 65535 bytes

09:34:28.755226 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:xxxx:xxxx:x:xxxx:xxx:xxxx:40bc > 2001:xxxx:xxxx:1::1:
[icmp6 sum ok] ICMP6, echo request, length 64, seq 5534

09:34:28.816176 IP6 (hlim 62, next-header ICMPv6 (58) payload length: 64) 2001:xxxx:xxxx:1::1 > 2001:xxxx:xxxx:x:xxxx:xxx:xxxx:40bc:
[icmp6 sum ok] ICMP6, echo reply, length 64, seq 5534

The reply did not get through to the target box, though, which is understandable.
However after that I was for some reason not able to reproduce that first success and had all kinds of issues when forwarding was enabled. As soon as I've enabled forwarding, I wasn't able any more to connect to the internet from that box and hijacking the traffic of the other machine did not work as well. I have no firewall rules enabled right now so it must be a routing issue.
And I haven't understood how routing works for IPv6 in a fully automatic environment with a routing advertising daemon on the default router. I'll get back to that in another issue of this series of articles.

trace6 

Kind of what you'd expect from the name but faster than traceroute6 and with options comparable to tcptraceroute:

 

root@dirtybox:/home/me/# trace6 eth0 ipv6.google.com 80
Trace6 for ipv6.google.com (2a00:1450:8007::6a):  
1: 2001:xxxx:xxxx::1  
2: 2001:xxxx:xxxx:6d3::1  
3: 2001:xxxx:xxxx:3:dc40::a  
4: 2001:xxxx:a2b:6d:30::b  
5: 2001:xxxx:b2b::20e6:0:0  
6: 2001:xxxx::1:0:4b3  
7: 2001:xxxx::1:0:10  
8: 2001:xxxx::2:0:48d  
9: 2001:xxxx:0:1::c9 
10: ??? 
11: ??? 
12: 2a00:1450:8007::6a [TCP SYN-ACK reply received]

 

Amap
Amap, another tool that I've tested, is not part of the IPv6 attack toolkit but also very promising because it supports stuff that Nmap does not support for IPv6 right now, like UDP scans.
But I had some issues with that tool - it reports ports to be open on a remote machine that are actually not open on that remote machine but on the local machine. So either I am doing something wrong or amap does something wrong.

root@dirtybox:~# amap -6 -bqv  -P 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d 1-65535 

amap v5.3 (www.thc.org/thc-amap) started at 2011-04-17 09:58:50 - PORTSCAN mode

Total amount of tasks to perform in plain connect mode: 65535
Port on [2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d]:22/tcp is OPEN
Port on [2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d]:631/tcp is OPEN
Port on [2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d]:51399/tcp is OPEN

amap v5.3 finished at 2011-04-17 09:58:54

root@dirtybox:~# nmap -6 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d -p22,631,51399
Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-17 09:59 CEST
Nmap scan report for 2001:xxxx:xxxx:x:xxx:xxxx:xxxx:fe7d
Host is up (0.0046s latency).
PORT      STATE  SERVICE
22/tcp    closed ssh
631/tcp   closed ipp
51399/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds  

 

So again it seems I have no idea about what I am actually doing. ;-)
But I'm learning a lot in the process of trial and error and reading up stuff.
There is a lot of great documentation out there, but some details are not documented that well or I haven't found it, yet. For example I still haven't understood how routing works when the router has advertised itself to the hosts on a network while ip -6 route prints out a link local address as the default IPv6 gateway. Kind of irritating. And why doesn't the route to the internet function any more on my attacking machine when I've enabled forwarding? Many questions. 
I am feeling like I'm ten years back when I first grasped how routing worked for IPv4.

 

Again, feel free to comment, correct and explain. I hope this series of articles helps some of you and I also hope that some of you who are more advanced in the topic can help me out, too.

:) 

 

Views: 2968

Tags: IPv6, THC, amap, spoofing

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Comment by Sam Bowne on April 22, 2011 at 4:03pm
thc-ipv6 is wonderful!

You can kill all the Windows Machines on a LAN with flood_router6

Video: http://www.youtube.com/watch?v=GA_w87K_Iuo&feature=youtube_gdat...

Details: http://samsclass.info/ipv6/proj/flood-router6a.htm
Comment by Leon van der Eijk on April 22, 2011 at 11:33am
Awesome post mate ! This is what this site is all about

© 2014   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service