Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
FRAG6(1)		    General Commands Manual		      FRAG6(1)

NAME
       frag6 - A security assessment tool for IPv6 fragmentation

SYNOPSIS
       frag6  [-i INTERFACE] -d	DST_ADDR [-S LINK_SRC_ADDR] [-D	LINK-DST-ADDR]
       [-s  SRC_ADDR[/LEN]]   [-A   HOP_LIMIT]	 [-u   DST_OPT_HDR_SIZE]   [-U
       DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-P FRAG_SIZE]	[-O FRAG_TYPE]
       [-o FRAG_OFFSET]	[-I FRAG_ID] [-T] [-n] [-p | -W	|  -X  |  -F  N_FRAGS]
       [-l] [-z	SECONDS] [-v] [-h]

DESCRIPTION
       frag6  is  a  security assessment tool for attack vectors based on IPv6
       fragments. It is	part of	the SI6	Networks' IPv6 Toolkit:	a security as-
       sessment	and trouble-shooting suite for the IPv6	protocols.

OPTIONS
       frag6  takes it parameters as command-line options. Each	of the options
       can be specified	with a short name (one character preceded with the hy-
       phen  character,	 as  e.g. "-i")	or with	a long name (a string preceded
       with two	hyphen characters, as e.g. "--interface").

       -i INTERFACE, --interface INTERFACE
	      This option specifies the	network	interface that the  tool  will
	      use.  If	the  destination address ("-d" option) is a link-local
	      address, the interface must be explicitly	specified. The	inter-
	      face  may	 also  be  specified along with	a destination address,
	      with the "-d" option.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This option specifies the	link-layer Source Address of the probe
	      packets.	If  left unspecified, the link-layer Source Address of
	      the packets is set to the	real link-layer	address	of the network
	      interface.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This  option specifies the link-layer Destination	Address	of the
	      probe packets. By	default, the link-layer	Destination Address is
	      automatically  set  to the link-layer address of the destination
	      host (for	on-link	destinations) or to the	link-layer address  of
	      the first-hop router.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This  option  specifies the IPv6 source address (or IPv6 prefix)
	      to be used for the Source	Address	of the outgoing	packets. If an
	      IPv6  prefix is specified, the IPv6 Source Address of the	outgo-
	      ing packets will be randomized from that prefix.

       -d DST_ADDR, --dst-address DST_ADDR

	      This option specifies the	IPv6 Destination Address of the	target
	      node. This option	cannot be left unspecified.

       -A HOP_LIMIT, --hop-limit HOP_LIMIT

	      This  option  specifies  the  Hop	 Limit to be used for the IPv6
	      packets. By default, the Hop Limit is randomized.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included	in  the	 outgoing packet(s). The extension header size
	      must be specified	as an argument to this option (the  header  is
	      filled with padding options). Multiple Destination Options head-
	      ers may be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This option specifies a Destination Options  header  to  be  in-
	      cluded  in  the "unfragmentable part" of the outgoing packet(s).
	      The header size must be specified	as an argument to this	option
	      (the  header  is filled with padding options). Multiple Destina-
	      tion Options headers may be specified by means of	multiple  "-U"
	      options.

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This  option specifies that a Hop-by-Hop Options header is to be
	      included in the outgoing packet(s).  The	header	size  must  be
	      specified	 as  an	 argument to this option (the header is	filled
	      with padding options). Multiple Hop-by-Hop Options  headers  may
	      be specified by means of multiple	"-H" options.

       -P FRAG_SIZE, --frag-size FRAG_SIZE

	      This option specifies the	IPv6 fragment payload size.

       -O FRAG_TYPE, --frag-type FRAG_TYPE

	      This  option  specifies  the fragment "type". Possible types are
	      "first", "middle", "last", and "atomic". If the  selected	 frag-
	      ment  type  is "first", the Fragment Offset is automatically set
	      to 0, and	the "M"	("More fragments") bit is set to 1. If the se-
	      lected  fragment type is "middle", the Fragment Offset is	set to
	      a	non-zero value,	and the	"M" bit	is set to 1. If	 the  selected
	      fragment	type  is  "last", the Fragment Offset is set to	a non-
	      zero value, and the "M" bit is set to 0.	Finally,  if  the  se-
	      lected  fragment type is "atomic", the Fragment Offset is	set to
	      0, and the "M" bit is set	to 0.

       -o FRAG_OFFSET, --frag-offset FRAG_OFFSET

	      This option specifies the	Fragment Offset. The  Fragment	Offset
	      specified	by means of this option	overrides the value implicitly
	      specified	by means of the	"-O" option.

       -I FRAG_ID, --frag-id FRAG_ID

	      This option specifies the	fragment  "Identification"  value.  If
	      left unspecified,	the "Identification" value is randomized.

       -T, --no-timestamp

	      When  assessing  the fragment reassembly policy of a target, the
	      fragment payload includes	a timestamp value that is used to mea-
	      sure  the	 fragment  reassembly  timeout.	If this	option is set,
	      such timestamp will not be included in the payload (and the tool
	      will not be able to measure the fragment reassembly timeout).

       -n, --no-responses

	      This  option  instructs  the  frag6  tool	not to display the re-
	      sponses to the fragments sent. This option is useful  when  per-
	      forming  a  fragmentation-flooding  attack, as multiple response
	      packets (ICMPv6 errors) might be received.

       -p, --frag-reass-policy

	      This option instructs the	tool to	determine  the	IPv6  fragment
	      reassembly  policy  of  the  target.  In	order to determine the
	      aforementioned policy, the tool performs a number	 of  tests  to
	      determine	 how  the target node processes	overlapping fragments.
	      The following figures illustrate the sequence  of	 packets  that
	      correspond to each of the	tests.

	      Test #1

		     Frag. #1:	AAAAAAAAAAA
		     Frag. #2:	       BBBBBBBBBBB

	      Test #2

		     Frag. #1:	AAAAAAAAAA
		     Frag. #2:			  BBBBBBBBBBB
		     Frag. #3:	       CCCCCCCCCCC

	      Test #3

		     Frag. #1:	AAAAAAAAAA
		     Frag. #2:			  BBBBBBBBBBB
		     Frag. #3:		  CCCCCCCCCCC

	      Test #4

		     Frag. #1:	AAAAAAAAAA
		     Frag. #2:			  BBBBBBBBBBB
		     Frag. #3:		  CCCCCCCCCCCCCCCCCCCCCCCCCC

	      Test #5

		     Frag. #1:	AAAAAAAAAA
		     Frag. #2:			  BBBBBBBBBBB
		     Frag. #3:				 CCCCCCCCCCC
		     Frag. #4:		  DDDDDDDD

	  For each of the aforementioned tests,	the tool reports which
		 copy of the data is used by the target	host. If there is no
		 response from the host, the tool informs whether the host
		 silently dropped the fragments, or sent an ICMPv6 Time
		 Exceeded error	message.

       -W, --frag-id-policy

	      This  option instructs the tool to determine the fragment	"Iden-
	      tification" generation policy. The tool sends a number of	 probe
	      packets  to  the	target	node, and samples the "Identification"
	      values of	the corresponding response packets. Based on the  sam-
	      pled  values, it tries to	infer the fragment Identification gen-
	      eration policy of	the target.

	      The tool will first send a number	of fragments from single  IPv6
	      address, such that the per-destination policy is determined. The
	      tool will	then send a number of fragments	from random  IPv6  ad-
	      dresses  (from the same prefix as	the first fragments) such that
	      the "global" fragment Identification generation  policy  can  be
	      inferred.

	      The  tool	computes the expected value and	the standard deviation
	      of the  difference  between  consecutive-sampled	Identification
	      values  (IDn a IDn-1), with the intent of	inferring the fragment
	      Identification algorithm at the target node.

	      For small	values of the standard deviation, the fragment Identi-
	      fication	is  assumed  to	be a monotonically-increasing function
	      with increments of the "expected value". For large values	of the
	      standard deviation, the fragment Identification is assumed to be
	      randomized, and the expected value and  standard	deviation  are
	      informed	to  the	 user,	as  indicators of the "quality"	of the
	      fragment Identification generation algorithm.

       -X, --pod-attack

	      This option instructs the	tool to	perform	a "Ping	of Death"  at-
	      tack against the specified target.

       -F FRAG_NUMBER, --flood-frags FRAG_NUMBER

	      This  option  instructs the tool to send the specified number of
	      fragments	back-to-back to	the target node. This option is	likely
	      to  be  used  in conjunction with	the "-l" option, such that the
	      process is repeated in a loop.

       -l, --loop

	      This option instructs the	frag6 tool to periodically  send  IPv6
	      fragments	 to  the  target node. The amount of time to pause be-
	      tween sending a batch of fragments can be	specified by means  of
	      the "-z" option, and defaults to 1 second.

       -z SECONDS, --sleep SECONDS

	      This  option  specifies  the amount of time that the tool	should
	      pause between  sending  btaches  of  IPv6	 fragments  (when  the
	      "--loop"	option	is set). If left unspecified, it defaults to 1
	      second.

       -v, --verbose

	      This option instructs the	frag6 tool to be verbose.  If this op-
	      tion  is	set  twice and the -W option was set, the tool outputs
	      the sampled Fragment Identification values (in addition to other
	      information).

       -h, --help

	      Print help information for the frag6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the frag6	tool.

       Example #1

       # frag6 --frag-id-policy	-d fc00:1::1 -v

       Assess  the  fragment  Identification  generation  policy  of  the host
       "fc00:1::1". Be verbose.

       Example #2

       # frag6 --frag-reass-policy -d fc00:1::1	-v

       Assess the fragment reassembly policy of	the host "fc00:1::1". Be  ver-
       bose.

       Example #3

       # frag6 --frag-type atomic -d fc00:1::1 -v

       Send an IPv6 atomic fragment to the host	"fc00:1::1". Be	verbose.

       Example #4

       # frag6 -s ::/0 --flood-frags 100 -l -z 5 -d fc00:1::1 -v

       Send  100  fragments  (every  5 seconds)	to the host fc00:1::1, using a
       forged IPv6 Source Address from the  prefix  ::/0.  The	aforementioned
       fragments  should  have	an  offset  of	0, and the M bit set (i.e., be
       first-fragments). Be verbose.

AUTHOR
       The frag6 tool and the corresponding manual pages were produced by Fer-
       nando Gont <fgont@si6networks.com> for SI6 Networks <http://www.si6net-
       works.com>.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission is granted to	copy, distribute and/or	modify	this  document
       under  the  terms of the	GNU Free Documentation License,	Version	1.3 or
       any later version published by the Free Software	 Foundation;  with  no
       Invariant  Sections,  no	Front-Cover Texts, and no Back-Cover Texts.  A
       copy  of	 the   license	 is   available	  at   _http://www.gnu.org/li-
       censes/fdl.html_.

								      FRAG6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=frag6&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help