This is the command tcp6 that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
tcp6 - A security assessment tool for TCP/IPv6 implementations
SYNOPSIS
tcp6 -i INTERFACE [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-s SRC_ADDR[/LEN]] [-d DST_ADDR]
[-A HOP_LIMIT] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H
HBH_OPT_HDR_SIZE] [-c OPEN_TYPE] [-C CLOSE_TYPE] [-P PAYLOAD_SIZE] [-o SRC_PORT] [-a
DST_PORT] [-X TCP_FLAGS] [-q TCP_SEQ] [-Q TCP_ACK] [-V TCP_URP] [-w TCP_WIN] [-W
WINDOW_MODE] [-M WIN_MOD_MODE] [-Z DATA] [-N] [-n] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J
LINK_ADDR] [-K LINK_ADDR] [-b PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B LINK_ADDR] [-G
LINK_ADDR] [-F N_SOURCES] [-T N_PORTS] [-f] [-R] [-L] [-l] [-p PROBE_MODE] [-z SECONDS]
[-r RATE] [-v] [-h]
DESCRIPTION
tcp6 tool allows the assessment of IPv6 implementations with respect to a variety of
attack vectors based on TCP/IPv6 segments. This tool is part of the SI6 Networks' IPv6
Toolkit: a security assessment suite for the IPv6 protocols.
tcp6 can be employed to perform specific TCP connection-establishment and connection-
termination sequences. For example, it can be employed to simulate a TCP "simultaneous
open" scenario (see the "--open-mode" option) or to simulate a TCP "simultaneous close"
scenario (see the "--close-mode" option). It can be employed to perform a number of
resource-exhaustion attacks against TCP, such as SYN-flooding attacks, connection-flooding
attacks (see the "--flood-sources" and "--flood-ports" options), etc. Additionally, it can
be employed to exploit attack vectors based on the TCP window (see the "--window" option).
tcp6 tool has two modes of operation: active and listening. In active mode, the tool
attacks a specific target, while in listening mode the tool listens to TCP traffic on the
local network, and launches an attack in response to such traffic. Active mode is employed
if an IPv6 Destination Address is specified. Listening mode is employed if the "-L" option
(or its long counterpart "--listen") is set. If both an attack target and the "-L" option
are specified, the attack is launched against the specified target, and then the tool
enters listening mode to respond incoming packets with TCP segments.
tcp6 supports filtering of incoming packets based on the Ethernet Source Address, the
Ethernet Destination Address, the IPv6 Source Address, and the IPv6 Destination Address.
There are two types of filters: "block filters" and "accept filters". If any "block
filter" is specified, and the incoming packet matches any of those filters, the message is
discarded (and thus no TCP segments are sent in response). If any "accept filter" is
specified, incoming packets must match the specified filters in order for the tool to
respond with TCP segments.
OPTIONS
tcp6 takes itS parameters as command-line options. Each of the options can be specified
with a short name (one character preceded with the hyphen character, as e.g. "-i") or with
a long name (a string preceded with two hyphen characters, as e.g. "--interface").
If the tool is instructed to e.g. flood the victim with TCP segments from different
sources ("--flood-sources" option), multiple packets may need to be generated.
tcp6 supports IPv6 Extension Headers, including the IPv6 Fragmentation Header, which might
be of use to circumvent layer-2 filtering and/or Network Intrusion Detection Systems
(NIDS). However, IPv6 extension headers are not employed by default, and must be
explicitly enabled with the corresponding options.
-i INTERFACE, --interface INTERFACE
This option specifies the network interface that the tool will use. The network
interface must be specified (i.e., the tool does not select any network interface
"by default").
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
This option specifies the link-layer Source Address of the probe packets. If left
unspecified, the link-layer Source Address of the packets is set to the real link-
layer address of the network interface. Note: this option is meaningful only when
the underlying link-layer technology is Ethernet.
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
This option specifies the link-layer Destination Address of the probe packets. By
default, the link-layer Destination Address is automatically set to the link-layer
address of the destination host (for on-link destinations) or to the link-layer
address of the first-hop router. Note: this option is meaningful only when the
underlying link-layer technology is Ethernet.
-s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the
Source Address of the attack packets. If the "-F" ("--flood-sources") option is
specified, this option includes an IPv6 prefix, from which random addresses are
selected. See the description of the "-F" option for further information on how the
"-s" option is processed in that specific case.
Note: When operating in "listening" mode, the Source Address is automatically set
to the Destination Address of the incoming packet.
-d DST_ADDR, --dst-address DST_ADDR
This option specifies the IPv6 Destination Address of the victim. It can be left
unspecified only if the "-L" option is selected (i.e., if the tool is to operate in
"listening" mode).
Note: When operating in "listening" mode, the Destination Address is automatically
set to the Source Address of the incoming packet.
-A HOP_LIMIT, --hop-limit HOP_LIMIT
This option specifies the Hop Limit to be used for the IPv6 packets. It defaults to
255.
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
This option specifies that a Destination Options header is to be included in the
outgoing packet(s). The extension header size must be specified as an argument to
this option (the header is filled with padding options). Multiple Destination
Options headers may be specified by means of multiple "-u" options.
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the outgoing packet(s). The header size must be specified
as an argument to this option (the header is filled with padding options). Multiple
Destination Options headers may be specified by means of multiple "-U" options.
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the
outgoing packet(s). The header size must be specified as an argument to this option
(the header is filled with padding options). Multiple Hop-by-Hop Options headers
may be specified by means of multiple "-H" options.
-y FRAG_SIZE, --frag-hdr FRAG_SIZE
This option specifies that the resulting packet must be fragmented. The fragment
size must be specified as an argument to this option.
-P PAYLOAD_SIZE, --payload-size PAYLOAD_SIZE
This options specifies the size of the TCP payload. It defaults to 0 (i.e., empty
TCP segments).
-o SRC_PORT, --src-port SRC_PORT
This option specifies the TCP Source Port.
-a DST_PORT, --dst-port DST_PORT
This option specifies the TCP/UDP Destination Port.
-X TCP_FLAGS, --tcp-flags TCP_FLAGS
his option is used to set specific the TCP flags. The flags are specified as "F"
(FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK), "U" (URG), "X" (no flags).
If this option is not set, and the tool operates in listening mode, the flags of
the generated TCP segments are automatically set as follows: TCP segments elicited
by SYNs have both the SYN and ACK flags set. All other TCP segments have the ACK
bit set.
-q SEQ_NUMBER, --tcp-seq SEQ_NUMBER
This option specifies the Sequence Number of the TCP header. If left unspecified,
the Sequence Number is randomized.
If this option is left unspecified and the tool is operating in listening mode, the
TCP Sequence Number is set to the Acknowledgement Number of the packet that
elicited the TCP segment.
-Q ACK_NUMBER, --tcp-ack ACK_NUMBER
This option specifies the Acknowledgment Number of the TCP segment. If left
unspecified, the Acknowledgment Number is randomized.
If this option is left unspecified and the tool is operating in listening mode, the
TCP Sequence Number is set to the Acknowledgement Number of the packet that
elicited the TCP segment.
-V URG_POINTER, --tcp-urg URG_POINTER
This option specifies the Urgent Pointer of the TCP segment. If left unspecified,
the Urgent Pointer is set to 0.
-w TCP_WINDOW, --tcp-win TCP_WINDOW
This option specifies the value of the TCP Window. If left unspecified, the Window
is randomized.
-W WIN_MODE, --window-mode WIN_MODE
This option specifies how to operate the TCP window by means of the WIN_MODE
parameter. Two modes are supported:
+ closed
+ modulated
When the "closed" mode is selected, the TCP window will be set to 0 (i.e., "closed
window"). If the tool estabishes new TCP connections, the initial window advertised
during the TCP three-way handshake will be that specified with the '-w' option.
However, once the connection has been established, the TCP window will be set to 0.
This allows for the implementation of the so-called Netkill attack, discussed in
Section 7.1.1 of the document "Security Assessment of the Transmission Control
Protocol (TCP)" (available at:
<http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>).
When the "modulated" mode is selected, the TCP window will oscillate between
alternate between two different values. These values, along the amount of time that
each of them is "active", can be specified by means of the '-M' ("--win-modulate")
option. The first of the aforementioned values is meant to close the window (hence
it will typically be zero), while the second is meant to open the window. The goal
of alternating between these two values is to circumvent a trivial mitigation
against Zero-Window attacks implemented by some stacks where they enforce a limit
on the maximum amount of time that the TCP advertised by a remote peer remains
fully-closed (i.e., set to 0). By changing the advertised window to some other
(small) value every now and then, such a trivial "counter-measure" can be easily
circumvented.
-M WIN_MOD_MODE, --win-modulation WIN_MOD_MODE
This option specifies the two values (and their respective duration) over which the
TCP window will alternate. The value WIN_MOD_MODE hast the syntax
"WIN1:TIME1:WIN2:TIME2", where the WIN1 and WIN2 parameters specify the window size
for each of these periods, while the TIME1 and TIME2 parameters specify their
respective time lengths. For example, setting "--win-modulation 0:60:10:30" will
cause tcp6 to alternate between advertising a TCP window of 0 bytes for 60 seconds,
and advertising a TCP window of 10 bytes for 30 seconds.
This option will be typically employed along with one of the flooding options
("--flood-sources" an/or "--flood-ports") and the "--data" option, such that
multiple TCP connections are established, and the target TCPs keep their
retransmission buffer full. In this scenario, the TCP window "modulation" option
can be leveraged to evade trivial counter-measures implemented by some TCP stacks
that try to mitigate Zero-Window attacks by enforcing a limit on the maximum amount
of time the TCP window can be in the "closed state".
-c OPEN_MODE, --open-mode OPEN_MODE
This option specifies the connection-establishment mode. The following modes are
available:
+ simultaneous
+ passive
+ abort
When the "simultaneous" mode is selected, tcp6 will respond to incoming SYN
segments with other SYN segments, thus simulating a "simultaneous open" scenario.
When the "passive" mode is selected, tcp6 will respond to incoming SYN segments
with the typical SYN/ACK segments, thus leading to the traditional "three-way
handshake". Finally, when the "abort" mode si selected, tcp6 wil respond to
incoming SYN segments with RST segments, thus aborting the incoming connections.
For the most part, this option is useful for assessing the correct behavior of TCP
implementations (e.g., support for "simultaneous opens").
-C CLOSE_MODE, --close-mode CLOSE_MODE
This option specifies the the connection-termination mode. The following modes are
available:
+ simultaneous
+ passive
+ abort
+ active
+ FIN-WAIT-1
+ FIN-WAIT-2
+ LAST-ACK
When the "simultaneous" mode is selected, tcp6 will respond to incoming FIN
segments with FIN segments, thus simulating a "simultaneous close" scenario. When
the "passive" mode is selected, tcp6 will respond to incoming FIN segments with the
typical FIN/ACK segments, thus leading to the traditional TCP connection-
termination sequence. When the "abort" mode is selected, tcp6 wil respond to
incoming FIN segments with RST segments, thus aborting the corresponding
connections. When the "active" mode is selected, tcp6 will start the
connection-termination sequence by sending a FIN segment.
The FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK modes will result in connections in the
FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK, respectively. It should be noted that in
order for the remote TCPs to transition to the FIN-WAIT-1 or FIN-WAIT-2 states, the
remote TCPs must perform the "active close". This can be trivially triggered for
application protocols such as HTTP, but might not be feasible for other protocols.
-Z DATA, --data DATA
This option is used to specify a payload that should be sent as the first data
segment once a TCP connection has been established. It will typically include an
application-layer request. Note: the string used for the DATA parameter can contain
the "\r" and "\n" C-style escape senquenced for representing "carriage return" and
"line feed" (respectively).
As an example, this option could be employed to send an HTTP request if set as
'--data "GET / HTTP/1.0\r\n\r\n"'.
-N, --not-ack-data
This option instructs tcp6 not to acknowledge the TCP payload of incoming segments
(when operating in listening mode).
Note: By default, tcp6 will acknowledge both the payload and the flags of the
incoming TCP segments.
-n, --not-ack-flags
This option instructs tcp6 not to acknowledge the TCP flags (SYN and/or FIN) of
incoming segments (when operating in listening mode).
Note: By default, tcp6 will acknowledge both the payload and the flags of the
incoming TCP segments.
-j SRC_ADDR, --block-src SRC_ADDR
This option sets a block filter for the incoming packets, based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-j
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-k DST_ADDR, --block-dst DST_ADDR
This option sets a block filter for the incoming packets, based on their IPv6
Destination Address. It allows the specification of an IPv6 prefix in the form "-k
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-J LINK_ADDR, --block-link-src LINK_ADDR
This option sets a block filter for the incoming packets, based on their link-layer
Source Address. The option must be followed by a link-layer address (currently,
only Ethernet is supported).
-K LINK_ADDR, --block-link-dst LINK_ADDR
This option sets a block filter for the incoming packets, based on their link-layer
Destination Address. The option must be followed by a link-layer address
(currently, only Ethernet is supported).
-b SRC_ADDR, --accept-src SRC_ADDR
This option sets an accept filter for the incoming packets, based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-b
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-g DST_ADDR, --accept-dst DST_ADDR
This option sets a accept filter for the incoming packets, based on their IPv6
Destination Address. It allows the specification of an IPv6 prefix in the form "-g
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-B LINK_ADDR, --accept-link-src LINK_ADDR
This option sets an accept filter for the incoming packets, based on their link-
layer Source Address. The option must be followed by a link-layer address
(currently, only Ethernet is supported).
-G LINK_ADDR, --accept-link-dst LINK_ADDR
This option sets an accept filter for the incoming packets, based on their link-
layer Destination Address. The option must be followed by a link-layer address
(currently, only Ethernet is supported).
-F N_SOURCES, --flood-sources N_SOURCES
This option instructs the tool to send multiple TCP segments with different Source
Addresses. The number of different source addresses is specified as "-F number".
The Source Address of each TCP segment is randomly selected from the prefix
specified by the "-s" option. If the "-F" option is specified but the "-s" option
is left unspecified, the Source Address of the packets is randomly selected from
the prefix ::/0.
-T N_PORTS, --flood-ports N_PORTS
This option instructs the tool to send multiple TCP segments with different Source
Ports. The Source Port of each TCP segment is randomly selected from the whole port
number space (0-65535).
-l, --loop
This option instructs the tcp6 tool to send periodic TCP segments to the victim
node. The amount of time to pause between sending TCP segments can be specified by
means of the "-z" option, and defaults to 1 second. Note that this option cannot be
set in conjunction with the "-L" ("--listen") option.
-z, --sleep
This option specifies the amount of time to pause between sending TCP segments
(when the "--loop" option is set). If left unspecified, it defaults to 1 second.
-r RATE, --rate-limit RATE
This option specifies the rate limit to use when performing a remote address scan.
"RATE" should be specified as "xbps" or "xpps" (with "x" being an unsigned
integer), for rate-limits in bits per second or packets per second, respectively.
-L, --listen
This instructs the tcp6 tool to operate in listening mode (possibly after attacking
a given node). Note that this option cannot be used in conjunction with the "-l"
("--loop") option.
-p PROBE_MODE, --probe-mode PROBE_MODE
This option instructs tcp6 to operate in probe mode. The specific probe mode is
specified as an argument to this option (currently, only "script" mode is
supported). In probe mode, tcp6 sends probe segments, and waits for response
packets. The response packets are decoded based on the selected probe mode.
In the "script" probe mode, the tool decodes TCP segments as follows:
RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...
Where the string RESPONSE is fixed, and RESPONSE_TYPE indicates the response
received. As of this version of the tool, the following RESPONSE_TYPE values are
supported:
+ TCP6: Indicates that the tool received a TCP/IPv6 packet
+ TIMEOUT: Indicates that the tool received no response
If RESPONSE_TYPE is TCP6, RESPONSE code contains the TCP flags set in the receive
TCP segment. The TCP flags are encoded as "F" (FIN), "S" (SYN), "R" (RST), "P"
(PSH), "A" (ACK), and "U" (URG).
Possibe output lines of the tool are:
RESPONSE:TIMEOUT:
RESPONSE:TCP6:RA:
Note: Future versions of the tool will also decode ICMPv6 error messages, and will
include additional data regarding the incoming TCP segments (e.g., ACK value,
payload size, etc.).
-v, --verbose
This option instructs the tcp6 tool to be verbose. When the option is set twice,
the tool is "very verbose", and the tool also informs which packets have been
accepted or discarded as a result of applying the specified filters.
-h, --help
Print help information for the tcp6 tool.
EXAMPLES
The following sections illustrate typical use cases of the tcp6 tool.
Example #1
# tcp6 -s fc00:1::/64 -d fc00:1::1 -a 22 -X S -F 100 -l -z 1 -v
In this example the tcp6 tool is essentially employed to perform a SYN-flood attack
against port number 22 of the host fc00:1::1. The tool uses the network interface "eth0"
(as specified by the "-i" option), and sends SYN segments (as specified by the "-X"
option) from the prefix fc00:1::/64 (as specified by the "-s" option) to port 22
(specified by the "-a" option) at the destination address fc00:1::1 (specified by the "-d"
option). The tool sends TCP segments from 100 different addresses (as specified by the
"-F" option) every one second (as specified by the "-l" and "-z" options). The tool will
be verbose (as specified by the "-v" option).
Example #2
# tcp6 -i eth0 -L -X RA -v
In this example, the tcp6 tool is employed to perform a TCP connection-reset attack
against all active TCP connections in the local network. The tool listens ("-L") on the
interface eth0 ("-i eth0"), and responds to any TCP segments with a RST packet (with both
the RST and ACK bits set). The tool will be verbose.
Example #3
# tcp6 -i eth0 -d fc00:1::1 -a 80 -L -s fc00:1::/112 -l -r 1pps -v --data "GET /
HTTP/1.0\r\n\r\n" --close-mode last-ack --flood-ports 10
Flood the target system (fc00:1::1) with connections that stay in the LAST-ACK state (on
port 80), sending packets at a rate of one packet per second. For each forged address, 10
different (forged) ports are used. For each connection, tcp6 will send an HTTP application
request.
Example #4
# tcp6 -i eth0 -d fc00:1::1 -a 80 -L -s fc00:1::/112 -l -r 1000pps --tcp-flags auto -v
--data "GET / HTTP/1.0\r\n\r\n" --flood-ports 10 --window-mode close
Flood the target node (fc00:1::1) with TCP connections (on port 80). On each connection
that is established, an HTTP request is sent, and the TCP window is immediately closed.
For each forged IPv6 source address ten different TCP source ports are randomized. The
bandwidth of the attack is limited to 1000 pps.
Example #5
# tcp6 -d fc00:1::1 -a 80 --tcp-flags A --dst-opt-hdr 8 --payload-size 50 --probe-mode
script
Send a probe TCP segment to TCP port 80 at fc00:1::1. The probe packet consists of an IPv6
packet with a Destination Options header of 8 bytes, and an IPv6 payload consisting of a
TCP segment with the ACK bit set, and 50 data bytes. The probe mode is "script".
Use tcp6 online using onworks.net services
