frag6 - A security assessment tool for IPv6 fragmentation
frag6 [
-i INTERFACE] -d DST_ADDR [-S LINK_SRC_ADDR] [-D
LINK-DST-ADDR] [-s SRC_ADDR[/LEN]] [-A HOP_LIMIT] [-u DST_OPT_HDR_SIZE] [-U
DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-P FRAG_SIZE] [-O FRAG_TYPE] [-o
FRAG_OFFSET] [-I FRAG_ID] [-T] [-n] [-p | -W | -X | -F N_FRAGS] [-l] [-z
SECONDS] [-v] [-h]
frag6 is a security assessment tool for attack vectors based on IPv6
fragments. It is part of the SI6 Networks' IPv6 Toolkit: a security assessment
and trouble-shooting suite for the IPv6 protocols.
frag6 takes it parameters as command-line options. Each of the options
can be specified with a short name (one character preceded with the hyphen
character, as e.g. "-i") or with a long name (a string preceded with
two hyphen characters, as e.g. "--interface").
-
-i INTERFACE, --interface INTERFACE
- This option specifies the network interface that the tool
will use. If the destination address ("-d" option) is a
link-local address, the interface must be explicitly specified. The
interface may also be specified along with a destination address, with the
"-d" option.
-
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
-
This option specifies the link-layer Source Address of the probe packets. If
left unspecified, the link-layer Source Address of the packets is set to
the real link-layer address of the network interface.
-
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
-
This option specifies the link-layer Destination Address of the probe
packets. By default, the link-layer Destination Address is automatically
set to the link-layer address of the destination host (for on-link
destinations) or to the link-layer address of the first-hop router.
-
-s SRC_ADDR, --src-address SRC_ADDR
-
This option specifies the IPv6 source address (or IPv6 prefix) to be used
for the Source Address of the outgoing packets. If an IPv6 prefix is
specified, the IPv6 Source Address of the outgoing packets will be
randomized from that prefix.
-
-d DST_ADDR, --dst-address DST_ADDR
-
This option specifies the IPv6 Destination Address of the target node. This
option cannot be left unspecified.
-
-A HOP_LIMIT, --hop-limit HOP_LIMIT
-
This option specifies the Hop Limit to be used for the IPv6 packets. By
default, the Hop Limit is randomized.
-
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
-
This option specifies that a Destination Options header is to be included in
the outgoing packet(s). The extension header size must be specified as an
argument to this option (the header is filled with padding options).
Multiple Destination Options headers may be specified by means of multiple
"-u" options.
-
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
-
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the outgoing packet(s). The header size
must be specified as an argument to this option (the header is filled with
padding options). Multiple Destination Options headers may be specified by
means of multiple "-U" options.
-
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
-
This option specifies that a Hop-by-Hop Options header is to be included in
the outgoing packet(s). The header size must be specified as an argument
to this option (the header is filled with padding options). Multiple
Hop-by-Hop Options headers may be specified by means of multiple
"-H" options.
-
-P FRAG_SIZE, --frag-size FRAG_SIZE
-
This option specifies the IPv6 fragment payload size.
-
-O FRAG_TYPE, --frag-type FRAG_TYPE
-
This option specifies the fragment "type". Possible types are
"first", "middle", "last", and
"atomic". If the selected fragment type is "first",
the Fragment Offset is automatically set to 0, and the "M"
("More fragments") bit is set to 1. If the selected fragment
type is "middle", the Fragment Offset is set to a non-zero
value, and the "M" bit is set to 1. If the selected fragment
type is "last", the Fragment Offset is set to a non-zero value,
and the "M" bit is set to 0. Finally, if the selected fragment
type is "atomic", the Fragment Offset is set to 0, and the
"M" bit is set to 0.
-
-o FRAG_OFFSET, --frag-offset FRAG_OFFSET
-
This option specifies the Fragment Offset. The Fragment Offset specified by
means of this option overrides the value implicitly specified by means of
the "-O" option.
-
-I FRAG_ID, --frag-id FRAG_ID
-
This option specifies the fragment "Identification" value. If left
unspecified, the "Identification" value is randomized.
-
-T, --no-timestamp
-
When assessing the fragment reassembly policy of a target, the fragment
payload includes a timestamp value that is used to measure the fragment
reassembly timeout. If this option is set, such timestamp will not be
included in the payload (and the tool will not be able to measure the
fragment reassembly timeout).
-
-n, --no-responses
-
This option instructs the frag6 tool not to display the responses to the
fragments sent. This option is useful when performing a
fragmentation-flooding attack, as multiple response packets (ICMPv6
errors) might be received.
-
-p, --frag-reass-policy
-
This option instructs the tool to determine the IPv6 fragment reassembly
policy of the target. In order to determine the aforementioned policy, the
tool performs a number of tests to determine how the target node processes
overlapping fragments. The following figures illustrate the sequence of
packets that correspond to each of the tests.
- Test #1
-
Frag. #1: AAAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Test #2
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Test #3
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Test #4
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCCCCCCCCCCCCCCCCC
Test #5
Frag. #1: AAAAAAAAAA
Frag. #2: BBBBBBBBBBB
Frag. #3: CCCCCCCCCCC
Frag. #4: DDDDDDDD
-
For each of the aforementioned tests, the tool reports which
-
copy of the data is used by the target host. If there is no
response from the host, the tool informs whether the host
silently dropped the fragments, or sent an ICMPv6 Time
Exceeded error message.
-
-W, --frag-id-policy
-
This option instructs the tool to determine the fragment
"Identification" generation policy. The tool sends a number of
probe packets to the target node, and samples the
"Identification" values of the corresponding response packets.
Based on the sampled values, it tries to infer the fragment Identification
generation policy of the target.
The tool will first send a number of fragments from single IPv6 address,
such that the per-destination policy is determined. The tool will then
send a number of fragments from random IPv6 addresses (from the same
prefix as the first fragments) such that the "global" fragment
Identification generation policy can be inferred.
The tool computes the expected value and the standard deviation of the
difference between consecutive-sampled Identification values (IDn –
IDn-1), with the intent of inferring the fragment Identification algorithm
at the target node.
For small values of the standard deviation, the fragment Identification is
assumed to be a monotonically-increasing function with increments of the
"expected value". For large values of the standard deviation,
the fragment Identification is assumed to be randomized, and the expected
value and standard deviation are informed to the user, as indicators of
the "quality" of the fragment Identification generation
algorithm.
-
-X, --pod-attack
-
This option instructs the tool to perform a "Ping of Death" attack
against the specified target.
-
-F FRAG_NUMBER, --flood-frags FRAG_NUMBER
-
This option instructs the tool to send the specified number of fragments
back-to-back to the target node. This option is likely to be used in
conjunction with the "-l" option, such that the process is
repeated in a loop.
-
-l, --loop
-
This option instructs the frag6 tool to periodically send IPv6 fragments to
the target node. The amount of time to pause between sending a batch of
fragments can be specified by means of the "-z" option, and
defaults to 1 second.
-
-z SECONDS, --sleep SECONDS
-
This option specifies the amount of time that the tool should pause between
sending btaches of IPv6 fragments (when the "--loop" option is
set). If left unspecified, it defaults to 1 second.
-
-v, --verbose
-
This option instructs the frag6 tool to be verbose. If this option is set
twice and the -W option was set, the tool outputs the sampled Fragment
Identification values (in addition to other information).
-
-h, --help
-
Print help information for the frag6 tool.
The following sections illustrate typical use cases of the
frag6 tool.
Example #1
# frag6 --frag-id-policy -d fc00:1::1 -v
Assess the fragment Identification generation policy of the host
"fc00:1::1". Be verbose.
Example #2
# frag6 --frag-reass-policy -d fc00:1::1 -v
Assess the fragment reassembly policy of the host "fc00:1::1". Be
verbose.
Example #3
# frag6 --frag-type atomic -d fc00:1::1 -v
Send an IPv6 atomic fragment to the host "fc00:1::1". Be verbose.
Example #4
# frag6 -s ::/0 --flood-frags 100 -l -z 5 -d fc00:1::1 -v
Send 100 fragments (every 5 seconds) to the host fc00:1::1, using a forged IPv6
Source Address from the prefix ::/0. The aforementioned fragments should have
an offset of 0, and the M bit set (i.e., be first-fragments). Be verbose.
The
frag6 tool and the corresponding manual pages were produced by
Fernando Gont <
[email protected]> for SI6 Networks
<
http://www.si6networks.com>.
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available
at
<http://www.gnu.org/licenses/fdl.html>.