1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
|
.TH UDP6 1
.SH NAME
udp6 \- A security assessment tool for UDP/IPv6 implementations
.SH SYNOPSIS
.B udp6
\-i INTERFACE [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-A HOP_LIMIT] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-P PAYLOAD_SIZE] [\-o SRC_PORT] [\-a DST_PORT] [\-Z DATA] [\-j PREFIX[/LEN]] [\-k PREFIX[/LEN]] [\-J LINK_ADDR] [\-K LINK_ADDR] [\-b PREFIX[/LEN]] [\-g PREFIX[/LEN]] [\-B LINK_ADDR] [\-G LINK_ADDR] [\-F N_SOURCES] [\-T N_PORTS] [\-L] [\-l] [\-p PROBE_MODE] [\-z SECONDS] [\-r RATE] [\-v] [\-h]
.SH DESCRIPTION
.B udp6
allows the assessment of IPv6 implementations with respect to a variety of attack vectors based on UDP/IPv6 datagrams. This tool is part of the SI6 Networks' IPv6 Toolkit: a security assessment and troubleshooting toolkit for the IPv6 protocols.
.B udp6
tool has two modes of operation: active and listening. In active mode, the tool attacks a specific target, while in listening mode the tool listens to UDP traffic on the local network, and launches an attack in response to such traffic. Active mode is employed if an IPv6 Destination Address is specified. Listening mode is employed if the "\-L" option (or its long counterpart "\-\-listen") is set. If both an attack target and the "\-L" option are specified, the attack is launched against the specified target, and then the tool enters listening mode to respond incoming packets with UDP datagrams.
.B udp6
supports filtering of incoming packets based on the Ethernet Source Address, the Ethernet Destination Address, the IPv6 Source Address, and the IPv6 Destination Address. There are two types of filters: "block filters" and "accept filters". If any "block filter" is specified, and the incoming packet matches any of those filters, the message is discarded (and thus no UDP datagrams are sent in response). If any "accept filter" is specified, incoming packets must match the specified filters in order for the tool to respond with UDP datagrams.
.SH OPTIONS
.B udp6
takes itS parameters as command\-line options. Each of the options can be specified with a short name (one character preceded with the hyphen character, as e.g. "\-i") or with a long name (a string preceded with two hyphen characters, as e.g. "\-\-interface").
If the tool is instructed to e.g. flood the victim with UDP datagrams from different sources ("\-\-flood\-sources" option), multiple packets may need to be generated.
udp6 supports IPv6 Extension Headers, including the IPv6 Fragmentation Header, which might be of use to circumvent layer-2 filtering and/or Network Intrusion Detection Systems (NIDS). However, IPv6 extension headers are not employed by default, and must be explicitly enabled with the corresponding options.
.TP
.BI \-i\ INTERFACE ,\ \-\-interface\ INTERFACE
This option specifies the network interface that the tool will use. The network interface must be specified (i.e., the tool does not select any network interface "by default").
.TP
.BI \-S\ SRC_LINK_ADDR ,\ \-\-src\-link\-address\ SRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets. If left unspecified, the link-layer Source Address of the packets is set to the real link-layer address of the network interface. Note: this option is meaningful only when the underlying link-layer technology is Ethernet.
.TP
.BI \-D\ DST_LINK_ADDR ,\ \-\-dst\-link\-address\ DST_LINK_ADDR
This option specifies the link-layer Destination Address of the probe packets. By default, the link-layer Destination Address is automatically set to the link-layer address of the destination host (for on-link destinations) or to the link-layer address of the first-hop router. Note: this option is meaningful only when the underlying link-layer technology is Ethernet.
.TP
.BI \-s\ SRC_ADDR ,\ \-\-src\-address\ SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the Source Address of the attack packets. If the "\-F" ("\-\-flood\-sources") option is specified, this option includes an IPv6 prefix, from which random addresses are selected. See the description of the "\-F" option for further information on how the "\-s" option is processed in that specific case.
Note: When operating in "listening" mode, the Source Address is automatically set to the Destination Address of the incoming packet.
.TP
.BI \-d\ DST_ADDR ,\ \-\-dst\-address\ DST_ADDR
This option specifies the IPv6 Destination Address of the victim. It can be left unspecified only if the "\-L" option is selected (i.e., if the tool is to operate in "listening" mode).
Note: When operating in "listening" mode, the Destination Address is automatically set to the Source Address of the incoming packet.
.TP
.BI \-A\ HOP_LIMIT ,\ \-\-hop\-limit\ HOP_LIMIT
This option specifies the Hop Limit to be used for the IPv6 packets. It defaults to 255.
.TP
.BI \-u\ HDR_SIZE ,\ \-\-dst\-opt\-hdr\ HDR_SIZE
This option specifies that a Destination Options header is to be included in the outgoing packet(s). The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-u" options.
.TP
.BI \-U\ HDR_SIZE ,\ \-\-dst\-opt\-u\-hdr\ HDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of the outgoing packet(s). The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-U" options.
.TP
.BI \-H\ HDR_SIZE ,\ \-\-hbh\-opt\-hdr\ HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the outgoing packet(s). The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop-by-Hop Options headers may be specified by means of multiple "\-H" options.
.TP
.BI \-y\ FRAG_SIZE ,\ \-\-frag\-hdr\ FRAG_SIZE
This option specifies that the resulting packet must be fragmented. The fragment size must be specified as an argument to this option.
.TP
.BI \-P\ PAYLOAD_SIZE ,\ \-\-payload\-size\ PAYLOAD_SIZE
This options specifies the size of the UDP payload. It defaults to 0 (i.e., empty UDP datagrams).
.TP
.BI \-o\ SRC_PORT ,\ \-\-src\-port\ SRC_PORT
This option specifies the UDP Source Port.
.TP
.BI \-a\ DST_PORT ,\ \-\-dst\-port\ DST_PORT
This option specifies the UDP Destination Port.
.TP
.BI \-Z\ DATA ,\ \-\-data\ DATA
This option is used to specify the UDP payload. It will typically include an application-layer request. Note: the string used for the DATA parameter can contain the "\\r" and "\\n" C\-style escape senquenced for representing "carriage return" and "line feed" (respectively).
As an example, this option could be employed to send an HTTP request if set as '\-\-data "GET / HTTP/1.0\\r\\n\\r\\n"'.
.TP
.BI \-j\ SRC_ADDR ,\ \-\-block\-src\ SRC_ADDR
This option sets a block filter for the incoming packets, based on their IPv6 Source Address. It allows the specification of an IPv6 prefix in the form "\-j prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected (i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been specified).
.TP
.BI \-k\ DST_ADDR ,\ \-\-block\-dst\ DST_ADDR
This option sets a block filter for the incoming packets, based on their IPv6 Destination Address. It allows the specification of an IPv6 prefix in the form "\-k prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected (i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been specified).
.TP
.BI \-J\ LINK_ADDR ,\ \-\-block\-link\-src\ LINK_ADDR
This option sets a block filter for the incoming packets, based on their link-layer Source Address. The option must be followed by a link-layer address (currently, only Ethernet is supported).
.TP
.BI \-K\ LINK_ADDR ,\ \-\-block\-link\-dst\ LINK_ADDR
This option sets a block filter for the incoming packets, based on their link-layer Destination Address. The option must be followed by a link-layer address (currently, only Ethernet is supported).
.TP
.BI \-b\ SRC_ADDR ,\ \-\-accept\-src\ SRC_ADDR
This option sets an accept filter for the incoming packets, based on their IPv6 Source Address. It allows the specification of an IPv6 prefix in the form "\-b prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected (i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been specified).
.TP
.BI \-g\ DST_ADDR ,\ \-\-accept\-dst\ DST_ADDR
This option sets a accept filter for the incoming packets, based on their IPv6 Destination Address. It allows the specification of an IPv6 prefix in the form "\-g prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected (i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been specified).
.TP
.BI \-B\ LINK_ADDR ,\ \-\-accept\-link\-src\ LINK_ADDR
This option sets an accept filter for the incoming packets, based on their link-layer Source Address. The option must be followed by a link-layer address (currently, only Ethernet is supported).
.TP
.BI \-G\ LINK_ADDR ,\ \-\-accept\-link\-dst\ LINK_ADDR
This option sets an accept filter for the incoming packets, based on their link-layer Destination Address. The option must be followed by a link-layer address (currently, only Ethernet is supported).
.TP
.BI \-F\ N_SOURCES ,\ \-\-flood\-sources\ N_SOURCES
This option instructs the tool to send multiple UDP datagrams with different Source Addresses. The number of different source addresses is specified as "\-F number". The Source Address of each UDP datagram is randomly selected from the prefix specified by the "\-s" option. If the "\-F" option is specified but the "\-s" option is left unspecified, the Source Address of the packets is randomly selected from the prefix ::/0.
.TP
.BI \-T\ N_PORTS ,\ \-\-flood\-ports\ N_PORTS
This option instructs the tool to send multiple UDP datagrams with different Source Ports. The Source Port of each UDP datagram is randomly selected from the whole port number space (0\-65535).
.TP
.BR \-l\| ,\ \-\-loop
This option instructs the udp6 tool to send periodic UDP datagrams to the victim node. The amount of time to pause between sending UDP datagrams can be specified by means of the "\-z" option, and defaults to 1 second. Note that this option cannot be set in conjunction with the "\-L" ("\-\-listen") option.
.TP
.BR \-z\| ,\ \-\-sleep
This option specifies the amount of time to pause between sending UDP datagrams (when the "\-\-loop" option is set). If left unspecified, it defaults to 1 second.
.TP
.BI \-r\ RATE ,\ \-\-rate\-limit\ RATE
This option specifies the rate limit to use when performing a remote address scan. "RATE" should be specified as "xbps" or "xpps" (with "x" being an unsigned integer), for rate-limits in bits per second or packets per second, respectively.
.TP
.BR \-L\| ,\ \-\-listen
This instructs the udp6 tool to operate in listening mode (possibly after attacking a given node). Note that this option cannot be used in conjunction with the "\-l" ("\-\-loop") option.
.TP
.BI \-p\ PROBE_MODE ,\ \-\-probe\-mode\ PROBE_MODE
This option instructs th too to operate in probe mode. The specific probe mode is specified as an argument to this option (currently, only "script" mode is supported). In probe mode,
.B the udp6
sends probe datagrams, and waits for response packets. The response packets are decoded based on the selected probe mode.
In the "script" probe mode, the tool decodes UDP datagrams as follows:
RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...
Where the string RESPONSE is fixed, and RESPONSE_TYPE indicates the response received. As of this version of the tool, the following RESPONSE_TYPE values are supported:
\+ UDP6: Indicates that the tool received a UDP/IPv6 packet
\+ TIMEOUT: Indicates that the tool received no response
Possibe output lines of the tool are:
RESPONSE:TIMEOUT:
RESPONSE:UDP6:
Note: Future versions of the tool will also decode ICMPv6 error messages, and will include additional data regarding the incoming UDP datagrams (e.g., payload size).
.TP
.BR \-v\| ,\ \-\-verbose
This option instructs the udp6 tool to be verbose. When the option is set twice, the tool is "very verbose", and the tool also informs which packets have been accepted or discarded as a result of applying the specified filters.
.TP
.BR \-h\| ,\ \-\-help
Print help information for the
.B udp6
tool.
.SH EXAMPLES
The following sections illustrate typical use cases of the
.B udp6
tool.
\fBExample #1\fR
# udp6 \-s fc00:1::/64 \-d fc00:1::1 \-a 22 \-F 100 \-l \-z 1 \-v
In this example the
.B udp6
tool is essentially employed to flood port number 22 of the host fc00:1::1. The tool sends UDP datagrams from the prefix fc00:1::/64 (as specified by the "\-s" option) to port 22 (specified by the "\-a" option) at the destination address fc00:1::1 (specified by the "\-d" option). The tool sends UDP datagrams from 100 different addresses (as specified by the "\-F" option) every one second (as specified by the "\-l" and "\-z" options). The tool will be verbose (as specified by the "\-v" option).
\fBExample #3\fR
# udp6 \-d fc00:1::1 \-a 80 \-l \-r 1pps \-v \-\-data "GET / HTTP/1.0\\r\\n\\r\\n"
Flood the target system (fc00:1::1) with UDP datagrams at a rate of one packet per second. Each UDP datagram will contain (in the payload) the string specified via the "\-\-data" option.
\fBExample #4\fR
# udp6 \-i eth0 \-d fc00:1::1 \-a 80 \-L \-s fc00:1::/112 \-l \-r 1000pps \-\-udp\-flags auto \-v \-\-data "GET / HTTP/1.0\\r\\n\\r\\n" \-\-flood\-ports 10 \-\-window\-mode close
Flood the target node (fc00:1::1) with UDP connections (on port 80). On each connection that is established, an HTTP request is sent, and the UDP window is immediately closed. For each forged IPv6 source address ten different UDP source ports are randomized. The bandwidth of the attack is limited to 1000 pps.
\fBExample #5\fR
# udp6 \-d fc00:1::1 \-a 80 \-\-udp\-flags A \-\-dst-opt-hdr 8 \-\-payload\-size 50 \-\-probe\-mode script
Send a probe UDP datagram to UDP port 80 at fc00:1::1. The probe packet consists of an IPv6 packet with a Destination Options header of 8 bytes, and an IPv6 payload consisting of a UDP datagram with the ACK bit set, and 50 data bytes. The probe mode is "script".
.SH AUTHOR
The
.B udp6
tool and the corresponding manual pages were produced by Fernando Gont
.I <fgont@si6networks.com>
for SI6 Networks
.IR <http://www.si6networks.com> .
.SH COPYRIGHT
Copyright (c) 2011\-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .
|
