1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
.TH PATH6 1
.SH NAME
path6 \- A versatile IPv6\-based traceroute tool
.SH SYNOPSIS
.B path6
.RB [\| \-d \|]
.RB [\| \-i
.IR INTERFACE \|]
.RB [\| \-s
.IR SRC_ADDR \|[/\| LEN \|]]
.RB [\| \-S
.IR LINK_SRC_ADDR \|]
.RB [\| \-D
.IR LINK_DST_ADDR \|]
.RB [\| \-y
.IR FRAG_SIZE \|]
.RB [\| \-u
.IR DST_OPT_HDR_SIZE \|]
.RB [\| \-U
.IR DST_OPT_U_HDR_SIZE \|]
.RB [\| \-H
.IR HBH_OPT_HDR_SIZE \|]
.RB [\| \-r
.IR LIMIT \|]
.RB [\| \-p
.IR PROBE_TYPE \|]
.RB [\| \-P
.IR PAYLOAD_SIZE \|]
.RB [\| \-a
.IR DST_PORT \|]
.RB [\| \-X
.IR TCP_FLAGS \|]
.RB [\| \-v \|]
.RB [\| \-h \|]
.SH DESCRIPTION
.B path6
is an IPv6 traceroute tool, with full support for IPv6 Extension Headers. It is part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for the IPv6 protocols.
.SH OPTIONS
.B path6
takes its parameters as command-line options. Each of the options can be specified with a short name (one character preceded with the hyphen character, as e.g. "\-i") or with a long name (a string preceded with two hyphen characters, as e.g. "\-\-interface").
Most of probe packet details can be specified by means of the available options. When TCP or UDP probe packets are employed, the Source Port of the probe packets is used to encode the probe packet number.
The current version of the tool will only print IPv6 addresses and will not try to reverse\-map such IPv6 addresses into hostnames.
.TP
.BI \-i\ interface ,\ \-\-interface\ interface
This option specifies the network interface to be used by the
.B path6 tool. It can be used for overriding the output interface selected based on the local routing table.
.TP
.BI \-s\ SRC_ADDR ,\ \-\-src\-address\ SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the Source Address of the attack packets. If a prefix is specified, the Source Address is randomly selected from that prefix.
.TP
.BI \-d\ DST_ADDR ,\ \-\-dst\-address\ DST_ADDR
This option specifies the IPv6 Destination Address of the target.
.TP
.BI \-S\ SRC_LINK_ADDR ,\ \-\-src\-link\-address\ SRC_LINK_ADDR
This option can be used to override the link\-layer Source Address of the packets.
.TP
.BI \-D\ DST_LINK_ADDR ,\ \-\-dst\-link\-address\ DST_LINK_ADDR
This option can be used to override the link\-layer Destination Address of the outgoing packets.
.TP
.BI \-y\ SIZE ,\ \-\-frag\-hdr\ SIZE
This option specifies that the probe packets must be fragmented. The fragment size must be specified as an argument to this option.
.TP
.BI \-u\ HDR_SIZE ,\ \-\-dst\-opt\-hdr\ HDR_SIZE
This option specifies that a Destination Options header is to be included in the outgoing packet(s). The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-u" options.
.TP
.BI \-U\ HDR_SIZE ,\ \-\-dst\-opt\-u\-hdr\ HDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of the outgoing packet(s). The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-U" options.
.TP
.BI \-H\ HDR_SIZE ,\ \-\-hbh\-opt\-hdr\ HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the outgoing packet(s). The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop-by-Hop Options headers may be specified by means of multiple "\-H" options.
.TP
.BI \-p\ PROBE_TYPE ,\ \-\-probe\-type\ PROBE_TYPE
This option specifies the protocol to be used for the probe packets. Possible arguments are: "icmp" (for ICMPv6 Echo Request), "tcp" (for TCP), and "udp" (for UDP). If left unspecified, the probe packets default to ICMPv6 Echo Request.
.TP
.BI \-P\ PAYLOAD_SIZE ,\ \-\-payload\-size\ PAYLOAD_SIZE
This option specifies the payload size of the probe packets.
.TP
.BI \-o\ SRC_PORT ,\ \-\-src\-port\ SRC_PORT
This option specifies the TCP/UDP Source Port. If left unspecified, the Source Port is randomized from the range 1024\-65535.
.TP
.BI \-a\ DST_PORT ,\ \-\-dst\-port\ DST_PORT
This option specifies the TCP/UDP Destination Port. If left unspecified, the Destination Port defaults to 80 for the TCP case, and a randomized value (in the range 60000\-65000) for the UDP case.
.TP
.BI \-X\ TCP_FLAGS ,\ \-\-tcp\-flags\ TCP_FLAGS
This option is used to set specific the TCP flags. The flags are specified as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK), "U" (URG), "X" (no flags).
If this option is left unspecified, the ACK bit is set on all probe packets.
.TP
.BR \-v\| ,\ \-\-verbose
This option selects the "verbosity" of the tool. If this option is left unspecified, only minimum information is printed.
.TP
.BR \-h\| ,\ \-\-help
Print help information for the
.B path6
tool.
.SH EXAMPLES
The following sections illustrate typical use cases of the
.B path6
tool.
\fBExample #1\fR
# scan6 \-i eth0 \-L \-e \-v
Perform host scanning on the local network ("\-L" option) using interface "eth0" ("\-i" option). Use both ICMPv6 echo requests and unrecognized IPv6 options of type 10xxxxxx (default). Print link-link layer addresses along with IPv6 addresses ("\-e" option). Be verbose ("\-v" option).
\fBExample #2\fR
# scan6 \-d 2001:db8::/64 \-\-tgt\-virtual\-machines all \-\-ipv4\-host 10.10.10.0/24
Scan for virtual machines (both VirtualBox and vmware) in the prefix 2001:db8::/64. The additional information about the IPv4 prefix employed by the host system is leveraged to reduce the search space.
\fBExample #3\fR
# scan6 \-d 2001:db8::/64 \-\-tgt\-ipv4\-embedded ipv4\-32 \-\-ipv4\-host 10.10.10.0/24
Scan for IPv6 addresses of the network 2001:db8::/64 that embed the IPv4 prefix 10.10.10.0/24 (with the 32-bit encoding).
\fBExample #4\fR
# scan6 \-d 2001:db8:0\-500:0\-1000
Scan for IPv6 addresses of the network 2001:db8::/64, varying the two lowest order 16\-bit words of the addresses in the range 0\-500 and 0\-1000, respectively.
\fBExample #5\fR
# scan6 \-d fc00::/64 \-\-tgt\-vendor 'Dell Inc' \-p tcp
Scan for network devices manufactured by 'Dell Inc' in the target prefix fc00::/64. The tool will employ TCP segments as the probe packets (rather than the default ICMPv6 echo requests).
.SH SEE ALSO
.BR ipv6toolkit.conf (5)
draft\-ietf\-opsec\-ipv6\-host\-scanning (available at:
.IR <http://tools.ietf.org/html/draft\-gont\-v6ops\-ipv6\-ehs\-in\-\real\-world> )
for a discussion of support of IPv6 packets with extension headers in the IPv6 Internet.
.SH AUTHOR
The
.B path6
tool and the corresponding manual pages were produced by Fernando Gont
.I <fgont@si6networks.com>
for SI6 Networks
.IR <http://www.si6networks.com> .
.SH COPYRIGHT
Copyright (c) 2014\-2015 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
|
