tcp6 - A security assessment tool for TCP/IPv6 implementations
tcp6 -i INTERFACE [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-s
SRC_ADDR[/LEN]] [-d DST_ADDR] [-A HOP_LIMIT] [-y FRAG_SIZE] [-u
DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-c OPEN_TYPE]
[-C CLOSE_TYPE] [-P PAYLOAD_SIZE] [-o SRC_PORT] [-a DST_PORT] [-X TCP_FLAGS]
[-q TCP_SEQ] [-Q TCP_ACK] [-V TCP_URP] [-w TCP_WIN] [-W WINDOW_MODE] [-M
WIN_MOD_MODE] [-Z DATA] [-N] [-n] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J
LINK_ADDR] [-K LINK_ADDR] [-b PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B LINK_ADDR]
[-G LINK_ADDR] [-F N_SOURCES] [-T N_PORTS] [-f] [-R] [-L] [-l] [-p PROBE_MODE]
[-z SECONDS] [-r RATE] [-v] [-h]
tcp6 tool allows the assessment of IPv6 implementations with respect to a
variety of attack vectors based on TCP/IPv6 segments. This tool is part of the
SI6 Networks' IPv6 Toolkit: a security assessment suite for the IPv6
protocols.
tcp6 can be employed to perform specific TCP connection-establishment and
connection-termination sequences. For example, it can be employed to simulate
a TCP "simultaneous open" scenario (see the "--open-mode"
option) or to simulate a TCP "simultaneous close" scenario (see the
"--close-mode" option). It can be employed to perform a number of
resource-exhaustion attacks against TCP, such as SYN-flooding attacks,
connection-flooding attacks (see the "--flood-sources" and
"--flood-ports" options), etc. Additionally, it can be employed to
exploit attack vectors based on the TCP window (see the "--window"
option).
tcp6 tool has two modes of operation: active and listening. In active
mode, the tool attacks a specific target, while in listening mode the tool
listens to TCP traffic on the local network, and launches an attack in
response to such traffic. Active mode is employed if an IPv6 Destination
Address is specified. Listening mode is employed if the "-L" option
(or its long counterpart "--listen") is set. If both an attack
target and the "-L" option are specified, the attack is launched
against the specified target, and then the tool enters listening mode to
respond incoming packets with TCP segments.
tcp6 supports filtering of incoming packets based on the Ethernet Source
Address, the Ethernet Destination Address, the IPv6 Source Address, and the
IPv6 Destination Address. There are two types of filters: "block
filters" and "accept filters". If any "block filter"
is specified, and the incoming packet matches any of those filters, the
message is discarded (and thus no TCP segments are sent in response). If any
"accept filter" is specified, incoming packets must match the
specified filters in order for the tool to respond with TCP segments.
tcp6 takes itS parameters as command-line options. Each of the options
can be specified with a short name (one character preceded with the hyphen
character, as e.g. "-i") or with a long name (a string preceded with
two hyphen characters, as e.g. "--interface").
If the tool is instructed to e.g. flood the victim with TCP segments from
different sources ("--flood-sources" option), multiple packets may
need to be generated.
tcp6 supports IPv6 Extension Headers, including the IPv6 Fragmentation Header,
which might be of use to circumvent layer-2 filtering and/or Network Intrusion
Detection Systems (NIDS). However, IPv6 extension headers are not employed by
default, and must be explicitly enabled with the corresponding options.
-
-i INTERFACE, --interface INTERFACE
- This option specifies the network interface that the tool
will use. The network interface must be specified (i.e., the tool does not
select any network interface "by default").
-
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
-
This option specifies the link-layer Source Address of the probe packets. If
left unspecified, the link-layer Source Address of the packets is set to
the real link-layer address of the network interface. Note: this option is
meaningful only when the underlying link-layer technology is Ethernet.
-
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
-
This option specifies the link-layer Destination Address of the probe
packets. By default, the link-layer Destination Address is automatically
set to the link-layer address of the destination host (for on-link
destinations) or to the link-layer address of the first-hop router. Note:
this option is meaningful only when the underlying link-layer technology
is Ethernet.
-
-s SRC_ADDR, --src-address SRC_ADDR
-
This option specifies the IPv6 source address (or IPv6 prefix) to be used
for the Source Address of the attack packets. If the "-F"
("--flood-sources") option is specified, this option includes an
IPv6 prefix, from which random addresses are selected. See the description
of the "-F" option for further information on how the
"-s" option is processed in that specific case.
Note: When operating in "listening" mode, the Source Address is
automatically set to the Destination Address of the incoming packet.
-
-d DST_ADDR, --dst-address DST_ADDR
-
This option specifies the IPv6 Destination Address of the victim. It can be
left unspecified only if the "-L" option is selected (i.e., if
the tool is to operate in "listening" mode).
Note: When operating in "listening" mode, the Destination Address
is automatically set to the Source Address of the incoming packet.
-
-A HOP_LIMIT, --hop-limit HOP_LIMIT
-
This option specifies the Hop Limit to be used for the IPv6 packets. It
defaults to 255.
-
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
-
This option specifies that a Destination Options header is to be included in
the outgoing packet(s). The extension header size must be specified as an
argument to this option (the header is filled with padding options).
Multiple Destination Options headers may be specified by means of multiple
"-u" options.
-
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
-
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the outgoing packet(s). The header size
must be specified as an argument to this option (the header is filled with
padding options). Multiple Destination Options headers may be specified by
means of multiple "-U" options.
-
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
-
This option specifies that a Hop-by-Hop Options header is to be included in
the outgoing packet(s). The header size must be specified as an argument
to this option (the header is filled with padding options). Multiple
Hop-by-Hop Options headers may be specified by means of multiple
"-H" options.
-
-y FRAG_SIZE, --frag-hdr FRAG_SIZE
-
This option specifies that the resulting packet must be fragmented. The
fragment size must be specified as an argument to this option.
-
-P PAYLOAD_SIZE, --payload-size PAYLOAD_SIZE
-
This options specifies the size of the TCP payload. It defaults to 0 (i.e.,
empty TCP segments).
-
-o SRC_PORT, --src-port SRC_PORT
-
This option specifies the TCP Source Port.
-
-a DST_PORT, --dst-port DST_PORT
-
This option specifies the TCP/UDP Destination Port.
-
-X TCP_FLAGS, --tcp-flags TCP_FLAGS
-
his option is used to set specific the TCP flags. The flags are specified as
"F" (FIN), "S" (SYN), "R" (RST),
"P" (PSH), "A" (ACK), "U" (URG),
"X" (no flags).
If this option is not set, and the tool operates in listening mode, the
flags of the generated TCP segments are automatically set as follows: TCP
segments elicited by SYNs have both the SYN and ACK flags set. All other
TCP segments have the ACK bit set.
-
-q SEQ_NUMBER, --tcp-seq SEQ_NUMBER
-
This option specifies the Sequence Number of the TCP header. If left
unspecified, the Sequence Number is randomized.
If this option is left unspecified and the tool is operating in listening
mode, the TCP Sequence Number is set to the Acknowledgement Number of the
packet that elicited the TCP segment.
-
-Q ACK_NUMBER, --tcp-ack ACK_NUMBER
-
This option specifies the Acknowledgment Number of the TCP segment. If left
unspecified, the Acknowledgment Number is randomized.
If this option is left unspecified and the tool is operating in listening
mode, the TCP Sequence Number is set to the Acknowledgement Number of the
packet that elicited the TCP segment.
-
-V URG_POINTER, --tcp-urg URG_POINTER
-
This option specifies the Urgent Pointer of the TCP segment. If left
unspecified, the Urgent Pointer is set to 0.
-
-w TCP_WINDOW, --tcp-win TCP_WINDOW
-
This option specifies the value of the TCP Window. If left unspecified, the
Window is randomized.
-
-W WIN_MODE, --window-mode WIN_MODE
-
This option specifies how to operate the TCP window by means of the WIN_MODE
parameter. Two modes are supported:
+ closed
+ modulated
When the "closed" mode is selected, the TCP window will be set to
0 (i.e., "closed window"). If the tool estabishes new TCP
connections, the initial window advertised during the TCP three-way
handshake will be that specified with the '-w' option. However, once the
connection has been established, the TCP window will be set to 0. This
allows for the implementation of the so-called Netkill attack, discussed
in Section 7.1.1 of the document "Security Assessment of the
Transmission Control Protocol (TCP)" (available at:
<http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>).
When the "modulated" mode is selected, the TCP window will
oscillate between alternate between two different values. These values,
along the amount of time that each of them is "active", can be
specified by means of the '-M' ("--win-modulate") option. The
first of the aforementioned values is meant to close the window (hence it
will typically be zero), while the second is meant to open the window. The
goal of alternating between these two values is to circumvent a trivial
mitigation against Zero-Window attacks implemented by some stacks where
they enforce a limit on the maximum amount of time that the TCP advertised
by a remote peer remains fully-closed (i.e., set to 0). By changing the
advertised window to some other (small) value every now and then, such a
trivial "counter-measure" can be easily circumvented.
-
-M WIN_MOD_MODE, --win-modulation WIN_MOD_MODE
-
This option specifies the two values (and their respective duration) over
which the TCP window will alternate. The value WIN_MOD_MODE hast the
syntax "WIN1:TIME1:WIN2:TIME2", where the WIN1 and WIN2
parameters specify the window size for each of these periods, while the
TIME1 and TIME2 parameters specify their respective time lengths. For
example, setting "--win-modulation 0:60:10:30" will cause
tcp6 to alternate between advertising a TCP window of 0 bytes for
60 seconds, and advertising a TCP window of 10 bytes for 30 seconds.
This option will be typically employed along with one of the flooding
options ("--flood-sources" an/or "--flood-ports") and
the "--data" option, such that multiple TCP connections are
established, and the target TCPs keep their retransmission buffer full. In
this scenario, the TCP window "modulation" option can be
leveraged to evade trivial counter-measures implemented by some TCP stacks
that try to mitigate Zero-Window attacks by enforcing a limit on the
maximum amount of time the TCP window can be in the "closed
state".
-
-c OPEN_MODE, --open-mode OPEN_MODE
-
This option specifies the connection-establishment mode. The following modes
are available:
+ simultaneous
+ passive
+ abort
When the "simultaneous" mode is selected, tcp6 will respond
to incoming SYN segments with other SYN segments, thus simulating a
"simultaneous open" scenario. When the "passive" mode
is selected, tcp6 will respond to incoming SYN segments with the
typical SYN/ACK segments, thus leading to the traditional "three-way
handshake". Finally, when the "abort" mode si selected,
tcp6 wil respond to incoming SYN segments with RST segments, thus
aborting the incoming connections.
For the most part, this option is useful for assessing the correct behavior
of TCP implementations (e.g., support for "simultaneous opens").
-
-C CLOSE_MODE, --close-mode CLOSE_MODE
-
This option specifies the the connection-termination mode. The following
modes are available:
+ simultaneous
+ passive
+ abort
+ active
+ FIN-WAIT-1
+ FIN-WAIT-2
+ LAST-ACK
When the "simultaneous" mode is selected, tcp6 will respond
to incoming FIN segments with FIN segments, thus simulating a
"simultaneous close" scenario. When the "passive" mode
is selected, tcp6 will respond to incoming FIN segments with the
typical FIN/ACK segments, thus leading to the traditional TCP
connection-termination sequence. When the "abort" mode is
selected, tcp6 wil respond to incoming FIN segments with RST
segments, thus aborting the corresponding connections. When the
"active" mode is selected, tcp6 will start the
connection-termination sequence by sending a FIN segment.
The FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK modes will result in connections in
the FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK, respectively. It should be noted
that in order for the remote TCPs to transition to the FIN-WAIT-1 or
FIN-WAIT-2 states, the remote TCPs must perform the "active
close". This can be trivially triggered for application protocols
such as HTTP, but might not be feasible for other protocols.
-
-Z DATA, --data DATA
-
This option is used to specify a payload that should be sent as the first
data segment once a TCP connection has been established. It will typically
include an application-layer request. Note: the string used for the DATA
parameter can contain the "\r" and "\n" C-style escape
senquenced for representing "carriage return" and "line
feed" (respectively).
As an example, this option could be employed to send an HTTP request if set
as '--data "GET / HTTP/1.0\r\n\r\n"'.
-
-N, --not-ack-data
-
This option instructs tcp6 not to acknowledge the TCP payload of
incoming segments (when operating in listening mode).
Note: By default, tcp6 will acknowledge both the payload and the flags of
the incoming TCP segments.
-
-n, --not-ack-flags
-
This option instructs tcp6 not to acknowledge the TCP flags (SYN and/or FIN)
of incoming segments (when operating in listening mode).
Note: By default, tcp6 will acknowledge both the payload and the flags of
the incoming TCP segments.
-
-j SRC_ADDR, --block-src SRC_ADDR
-
This option sets a block filter for the incoming packets, based on their
IPv6 Source Address. It allows the specification of an IPv6 prefix in the
form "-j prefix/prefixlen". If the prefix length is not
specified, a prefix length of "/128" is selected (i.e., the
option assumes that a single IPv6 address, rather than an IPv6 prefix, has
been specified).
-
-k DST_ADDR, --block-dst DST_ADDR
-
This option sets a block filter for the incoming packets, based on their
IPv6 Destination Address. It allows the specification of an IPv6 prefix in
the form "-k prefix/prefixlen". If the prefix length is not
specified, a prefix length of "/128" is selected (i.e., the
option assumes that a single IPv6 address, rather than an IPv6 prefix, has
been specified).
-
-J LINK_ADDR, --block-link-src LINK_ADDR
-
This option sets a block filter for the incoming packets, based on their
link-layer Source Address. The option must be followed by a link-layer
address (currently, only Ethernet is supported).
-
-K LINK_ADDR, --block-link-dst LINK_ADDR
-
This option sets a block filter for the incoming packets, based on their
link-layer Destination Address. The option must be followed by a
link-layer address (currently, only Ethernet is supported).
-
-b SRC_ADDR, --accept-src SRC_ADDR
-
This option sets an accept filter for the incoming packets, based on their
IPv6 Source Address. It allows the specification of an IPv6 prefix in the
form "-b prefix/prefixlen". If the prefix length is not
specified, a prefix length of "/128" is selected (i.e., the
option assumes that a single IPv6 address, rather than an IPv6 prefix, has
been specified).
-
-g DST_ADDR, --accept-dst DST_ADDR
-
This option sets a accept filter for the incoming packets, based on their
IPv6 Destination Address. It allows the specification of an IPv6 prefix in
the form "-g prefix/prefixlen". If the prefix length is not
specified, a prefix length of "/128" is selected (i.e., the
option assumes that a single IPv6 address, rather than an IPv6 prefix, has
been specified).
-
-B LINK_ADDR, --accept-link-src LINK_ADDR
-
This option sets an accept filter for the incoming packets, based on their
link-layer Source Address. The option must be followed by a link-layer
address (currently, only Ethernet is supported).
-
-G LINK_ADDR, --accept-link-dst LINK_ADDR
-
This option sets an accept filter for the incoming packets, based on their
link-layer Destination Address. The option must be followed by a
link-layer address (currently, only Ethernet is supported).
-
-F N_SOURCES, --flood-sources N_SOURCES
-
This option instructs the tool to send multiple TCP segments with different
Source Addresses. The number of different source addresses is specified as
"-F number". The Source Address of each TCP segment is randomly
selected from the prefix specified by the "-s" option. If the
"-F" option is specified but the "-s" option is left
unspecified, the Source Address of the packets is randomly selected from
the prefix ::/0.
-
-T N_PORTS, --flood-ports N_PORTS
-
This option instructs the tool to send multiple TCP segments with different
Source Ports. The Source Port of each TCP segment is randomly selected
from the whole port number space (0-65535).
-
-l, --loop
-
This option instructs the tcp6 tool to send periodic TCP segments to the
victim node. The amount of time to pause between sending TCP segments can
be specified by means of the "-z" option, and defaults to 1
second. Note that this option cannot be set in conjunction with the
"-L" ("--listen") option.
-
-z, --sleep
-
This option specifies the amount of time to pause between sending TCP
segments (when the "--loop" option is set). If left unspecified,
it defaults to 1 second.
-
-r RATE, --rate-limit RATE
-
This option specifies the rate limit to use when performing a remote address
scan. "RATE" should be specified as "xbps" or
"xpps" (with "x" being an unsigned integer), for
rate-limits in bits per second or packets per second, respectively.
-
-L, --listen
-
This instructs the tcp6 tool to operate in listening mode (possibly after
attacking a given node). Note that this option cannot be used in
conjunction with the "-l" ("--loop") option.
-
-p PROBE_MODE, --probe-mode PROBE_MODE
-
This option instructs tcp6 to operate in probe mode. The specific probe mode
is specified as an argument to this option (currently, only
"script" mode is supported). In probe mode, tcp6 sends
probe segments, and waits for response packets. The response packets are
decoded based on the selected probe mode.
In the "script" probe mode, the tool decodes TCP segments as
follows:
RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...
Where the string RESPONSE is fixed, and RESPONSE_TYPE indicates the response
received. As of this version of the tool, the following RESPONSE_TYPE
values are supported:
+ TCP6: Indicates that the tool received a TCP/IPv6 packet
+ TIMEOUT: Indicates that the tool received no response
If RESPONSE_TYPE is TCP6, RESPONSE code contains the TCP flags set in the
receive TCP segment. The TCP flags are encoded as "F" (FIN),
"S" (SYN), "R" (RST), "P" (PSH),
"A" (ACK), and "U" (URG).
Possibe output lines of the tool are:
RESPONSE:TIMEOUT:
RESPONSE:TCP6:RA:
Note: Future versions of the tool will also decode ICMPv6 error messages,
and will include additional data regarding the incoming TCP segments
(e.g., ACK value, payload size, etc.).
-
-v, --verbose
-
This option instructs the tcp6 tool to be verbose. When the option is set
twice, the tool is "very verbose", and the tool also informs
which packets have been accepted or discarded as a result of applying the
specified filters.
-
-h, --help
-
Print help information for the tcp6 tool.
The following sections illustrate typical use cases of the
tcp6 tool.
Example #1
# tcp6 -s fc00:1::/64 -d fc00:1::1 -a 22 -X S -F 100 -l -z 1 -v
In this example the
tcp6 tool is essentially employed to perform a
SYN-flood attack against port number 22 of the host fc00:1::1. The tool uses
the network interface "eth0" (as specified by the "-i"
option), and sends SYN segments (as specified by the "-X" option)
from the prefix fc00:1::/64 (as specified by the "-s" option) to
port 22 (specified by the "-a" option) at the destination address
fc00:1::1 (specified by the "-d" option). The tool sends TCP
segments from 100 different addresses (as specified by the "-F"
option) every one second (as specified by the "-l" and
"-z" options). The tool will be verbose (as specified by the
"-v" option).
Example #2
# tcp6 -i eth0 -L -X RA -v
In this example, the
tcp6 tool is employed to perform a TCP
connection-reset attack against all active TCP connections in the local
network. The tool listens ("-L") on the interface eth0 ("-i
eth0"), and responds to any TCP segments with a RST packet (with both the
RST and ACK bits set). The tool will be verbose.
Example #3
# tcp6 -i eth0 -d fc00:1::1 -a 80 -L -s fc00:1::/112 -l -r 1pps -v --data
"GET / HTTP/1.0\r\n\r\n" --close-mode last-ack --flood-ports 10
Flood the target system (fc00:1::1) with connections that stay in the LAST-ACK
state (on port 80), sending packets at a rate of one packet per second. For
each forged address, 10 different (forged) ports are used. For each
connection,
tcp6 will send an HTTP application request.
Example #4
# tcp6 -i eth0 -d fc00:1::1 -a 80 -L -s fc00:1::/112 -l -r 1000pps --tcp-flags
auto -v --data "GET / HTTP/1.0\r\n\r\n" --flood-ports 10
--window-mode close
Flood the target node (fc00:1::1) with TCP connections (on port 80). On each
connection that is established, an HTTP request is sent, and the TCP window is
immediately closed. For each forged IPv6 source address ten different TCP
source ports are randomized. The bandwidth of the attack is limited to 1000
pps.
Example #5
# tcp6 -d fc00:1::1 -a 80 --tcp-flags A --dst-opt-hdr 8 --payload-size 50
--probe-mode script
Send a probe TCP segment to TCP port 80 at fc00:1::1. The probe packet consists
of an IPv6 packet with a Destination Options header of 8 bytes, and an IPv6
payload consisting of a TCP segment with the ACK bit set, and 50 data bytes.
The probe mode is "script".
"Security Assessment of the Transmission Control Protocol (TCP)"
(available at:
<
http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>)
for a discussion of TCP vulnerabilities.
The
tcp6 tool and the corresponding manual pages were produced by
Fernando Gont
<[email protected]> for SI6 Networks
<http://www.si6networks.com>.
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available
at
<http://www.gnu.org/licenses/fdl.html>.