Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
NA6(1)			    General Commands Manual			NA6(1)

NAME
       na6  -  A  security  assessment tool for	attack vectors based on	ICMPv6
       Neighbor	Advertisement messages

SYNOPSIS
       na6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S	LINK_SRC_ADDR]
       [-y   FRAG_SIZE]	 [-u  DST_OPT_HDR_SIZE]	 [-U  DST_OPT_U_HDR_SIZE]  [-H
       HBH_OPT_HDR_SIZE] [-D LINK-DST-ADDR] [-t	TARGET_ADDR[/LEN]]  [-r]  [-c]
       [-o]  [-E  LINK_ADDR]  [-e]  [-j	 PREFIX[/LEN]]	[-k  PREFIX[/LEN]] [-J
       LINK_ADDR] [-K LINK_ADDR] [-w PREFIX[/LEN]] [-b PREFIX[/LEN]] [-g  PRE-
       FIX[/LEN]]   [-B	  LINK_ADDR]  [-G  LINK_ADDR]  [-W  PREFIX[/LEN]]  [-F
       N_SOURCES] [-T N_TARGETS] [-L | -l] [-z]	[-v] [-V] [-h]

DESCRIPTION
       na6 allows the assessment of IPv6 implementations with respect to a va-
       riety  of  attack  vectors  based on ICMPv6 Neighbor Advertisement mes-
       sages. It is part of the	SI6 Networks' IPv6 Toolkit: a security assess-
       ment suite for the IPv6 Protocols.

       This  tool  has	two  modes of operation: active	and passive. In	active
       mode, the tool attacks a	specific target, while	in  passive  mode  the
       tool listens to traffic on the local network, and launches an attack in
       response	to such	traffic. Active	mode is	employed if a destination  ad-
       dress  (IPv6 Destination	Address	or Ethernet Destination	Address) and a
       Target Address are specified. Passive mode is employed if the "-L"  op-
       tion  (or  its  long  counterpart "--listen") is	set. If	both an	attack
       target and the "-L" option are set, the attack is launched against  the
       specified  target, and then the tool enters passive mode	to respond in-
       coming Neighbor Solicitation messages with Neighbor Advertisement  (at-
       tack) packets.

       The  tool supports filtering of incoming	Neighbor Solicitation messages
       based on	the Ethernet Source Address, the Ethernet Destination Address,
       the IPv6	Source Address,	the IPv6 Destination Address, and the Neighbor
       Solicitation Target Address.  There are two types  of  filters:	"block
       filters"	 and "accept filters". If any "block filter" is	specified, and
       the incoming Neighbor Solicitation message matches any  of  those  fil-
       ters, the message is discarded (and thus	no Neighbor Advertisements are
       sent in response). If any "accept filter" is specified, incoming	Neigh-
       bor Solicitation	messages must match the	specified filters in order for
       the na6 tool to respond with Neighbor Advertisement messages.

OPTIONS
       na6 takes its parameters	as command-line	options. Each of  the  options
       can be specified	with a short name (one character preceded with the hy-
       phen character, as e.g. "-i") or	with a long name  (a  string  preceded
       with two	hyphen characters, as e.g. "--interface").

       Depending  on  the amount of information	(i.e., options)	to be conveyed
       into the	Neighbor Advertisements, it may	be necessary for the na6  tool
       to  split  that	information  into more than one	Neighbor Advertisement
       message.	Also, if the tool is  instructed  to  flood  the  victim  with
       Neighbor	 Advertisements	 from different	sources	("--flood-sources" op-
       tion), multiple packets may need	to be  generated.  na6	supports  IPv6
       fragmentation,  which  may  be  of use if a large amount	of information
       needs to	be conveyed within a single  Neighbor  Advertisement  message.
       However,	 IPv6 fragmentation is not enabled by default, and must	be ex-
       plicitly	enabled	with the "-y" option.

       -i INTERFACE, --interface INTERFACE
	      This option specifies the	network	interface that the  tool  will
	      use.  If	the  destination address ("-d" option) is a link-local
	      address, or the "listening" ("-L") mode is selected, the	inter-
	      face  must  be  explicitly  specified. The interface may also be
	      specified	along with a destination address, with	the  "-d"  op-
	      tion.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This  option  specifies the IPv6 source address (or IPv6 prefix)
	      to be used for the Source	Address	of the attack packets. If left
	      unspecified,  a random link-local	unicast	address	(fe80::/64) is
	      selected.

	      If the "-T" ("--flood-targets") option is	specified, this	option
	      includes	an IPv6	prefix.	See the	description of the "-T"	option
	      for further information on how the "-s" option is	 processed  in
	      that specific case.

       -d DST_ADDR, --dst-address DST_ADDR

	      This  option  specifies the IPv6 Destination Address of the vic-
	      tim. If left unspecified,	but the	Ethernet  Destination  Address
	      is  specified,  the  "all-nodes  link-local  multicast"  address
	      (ff02::1)	is selected as the IPv6	Destination Address.

	      When operating in	passive	mode ("-L" option), the	IPv6  Destina-
	      tion Address is selected according to the	IPv6 Source Address of
	      the incoming Neighbor Solicitation message. If the  IPv6	Source
	      Address  of the Neighbor Solicitation is the unspecified address
	      (::), the	"all-nodes link-local multicast" address (ff02::1)  is
	      used as the IPv6 Destination Address. Otherwise, the IPv6	Source
	      Address of the incoming Neighbor Solicitation message is used as
	      the IPv6 Destination Address of the outgoing Neighbor Advertise-
	      ment (attack) messages.

       --hop-limit, -A

	      This option specifies the	Hop Limit to be	used for the  Neighbor
	      Advertisement messages. It defaults to 255. Note that IPv6 nodes
	      are required to check that the Hop Limit	of  incoming  Neighbor
	      Advertisement  messages  is  255.	Therefore, this	option is only
	      useful to	assess whether an IPv6 implementation fails to enforce
	      the aforementioned check.

       -y SIZE,	--frag-hdr SIZE

	      This  option  specifies  that the	resulting packet must be frag-
	      mented. The fragment size	must be	specified as  an  argument  to
	      this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included in the resulting	packet.	The extension header size must
	      be specified as an argument to this option (the header is	filled
	      with padding options). Multiple Destination Options headers  may
	      be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This  option  specifies  a  Destination Options header to	be in-
	      cluded in	the "unfragmentable part" of the resulting packet. The
	      header size must be specified as an argument to this option (the
	      header is	filled with padding options). Multiple Destination Op-
	      tions  headers  may  be  specified by means of multiple "-U" op-
	      tions. This option is only valid if the "-y" option is specified
	      (as  the	concept	of "unfragmentable part" only makes sense when
	      fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This option specifies that a Hop-by-Hop Options header is	to  be
	      included in the resulting	packet.	The header size	must be	speci-
	      fied as an argument to this option (the header  is  filled  with
	      padding  options).  Multiple  Hop-by-Hop	Options	headers	may be
	      specified	by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This option specifies  the  link-layer  Source  Address  of  the
	      Neighbor	Advertisement  messages	(this option is	only valid for
	      Ethernet interfaces). If left unspecified, the link-layer	Source
	      Address is randomized.

	      When operating in	passive	mode, the link-layer Source Address is
	      selected according to the	IPv6 Destination Address of the	incom-
	      ing  Neighbor Solicitation message.  If the IPv6 Destination Ad-
	      dress of the incoming Neighbor Solicitation message is a	multi-
	      cast  address  (usually a	solicited-node multicast address), the
	      link-layer Source	Address	is set to the address specified	by the
	      "-S"  option (or to a random address if the "-S" option was left
	      unspecified). If the IPv6	Destination Address  of	 the  incoming
	      Neighbor	Solicitation is	not a multicast	address	(i.e., it is a
	      unicast address),	the link-layer Source Address is  set  to  the
	      Ethernet	Destination Address of the incoming Neighbor Solicita-
	      tion message.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This option specifies the	link-layer Destination Address of  the
	      Neighbor	Advertisement  messages	(this option is	only valid for
	      Ethernet interfaces). If left unspecified,  it  is  set  to  the
	      "all-nodes link-local multicast" address (ff02::1).

	      When  operating  in passive mode,	the link-layer Destination Ad-
	      dress is set according to	the IPv6 Source	Address	of the	incom-
	      ing  Neighbor  Solicitation message.  If the IPv6	Source Address
	      of the incoming Neighbor Solicitation message is the unspecified
	      address  (::),  the  link-layer  destination  address  is	set to
	      "33:33:00:00:00:01" (the Ethernet	multicast address  correspond-
	      ing  to the IPv6 "all-nodes link-local multicast"	address). Oth-
	      erwise,  the  link-layer	Destination  Address  is  set  to  the
	      link-layer  Source Address of the	incoming Neighbor Solicitation
	      message.

       --router, -r

	      This option instructs the	na6 tool to set	the "R"	 (Router)  bit
	      in  the  Neighbor	 Advertisement messages	that it	sends. The "R"
	      bit indicates that the node sending the message is a router.  If
	      left unspecified,	the "R"	bit is not set.

       --solicited, -c

	      This  option instructs the na6 tool to set the "S" ("Solicited")
	      bit in the Neighbor Advertisement	messages that it  sends.  When
	      operating	in passive mode	("-L" option), the "Solicited" flag is
	      forced to	1 in all responses sent	to unicast IPv6	addresses.

       --override, -o

	      This option instructs the	na6 tool to set	the  aOa  ("Override")
	      bit  in  the  Neighbor  Advertisement messages that it sends. If
	      this option is left unspecified, the aOa bit is not set.

       --target, -t

	      This option specifies the	IPv6 Target Address  of	 the  Neighbor
	      Advertisement messages.

	      If the "-T" ("--flood-targets") option is	specified, this	option
	      specifies	an IPv6	prefix in the form "-t prefix/prefixlen".  See
	      the  description	of  the	"-T" option for	further	information on
	      how the "-t" option is processed in that specific	case.

       --target-lla-opt, -E

	      This option specifies the	contents of a  target  link-layer  ad-
	      dress  option  to	be included in the Neighbor Advertisement mes-
	      sages. If	a single option	is specified, it is  included  in  all
	      the  outgoing  Neighbor Advertisement messages. If more than one
	      target link-layer	address	is specified  (by  means  of  multiple
	      "-E"  options), and all the resulting options cannot be conveyed
	      into a single Neighbor Advertisement message, multiple  Neighbor
	      Advertisements will be sent as needed.

       --add-tlla-opt, -e

	      This   option  instructs	the  na6  tool	to  include  a	target
	      link-layer address option	in the Neighbor	Advertisement messages
	      that it sends. The target	link-layer address included in the op-
	      tion is the same as the Ethernet Source  Address	used  for  the
	      outgoing Neighbor	Advertisement messages.	The difference between
	      this option and the "-E" option is that the "-e" option does not
	      specify  the  actual value of the	option,	but just instructs the
	      tool to include a	target link-layer address option  (the	actual
	      value of the option is selected as explained before).

       -j SRC_ADDR, --block-src	SRC_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their IPv6 Source Address. It allows the specification	of  an
	      IPv6  prefix  in	the  form "-j prefix/prefixlen". If the	prefix
	      length is	not specified, a prefix	length of "/128"  is  selected
	      (i.e.,  the  option  assumes  that a single IPv6 address,	rather
	      than an IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst	DST_ADDR

	      This option sets a block filter for the incoming Neighbor	Solic-
	      itation  messages,  based	 on their IPv6 Destination Address. It
	      allows the specification of an IPv6 prefix in the	form "-k  pre-
	      fix/prefixlen".  If the prefix length is not specified, a	prefix
	      length of	"/128" is selected (i.e., the option  assumes  that  a
	      single IPv6 address, rather than an IPv6 prefix, has been	speci-
	      fied).

       -J SRC_ADDR, --block-link-src SRC_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on  their	link-layer Source Address. The option must be followed
	      by a link-layer address (this option is only valid for  Ethernet
	      interfaces).

       -K DST_ADDR, --block-link-dst DST_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their link-layer Destination Address. The option must be fol-
	      lowed  by	 a  link-layer	address	(this option is	only valid for
	      Ethernet interfaces).

       -b SRC_ADDR, --accept-src SRC_ADDR

	      This option sets an accept  filter  for  the  incoming  packets,
	      based  on	their IPv6 Source Address. It allows the specification
	      of an IPv6 prefix	in the form "-b	prefix/prefixlen". If the pre-
	      fix  length  is  not specified, a	prefix length of "/128"	is se-
	      lected (i.e., the	option assumes that  a	single	IPv6  address,
	      rather than an IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

	      This option sets a accept	filter for the incoming	packets, based
	      on their IPv6 Destination	Address. It allows  the	 specification
	      of an IPv6 prefix	in the form "-g	prefix/prefixlen". If the pre-
	      fix length is not	specified, a prefix length of  "/128"  is  se-
	      lected  (i.e.,  the  option  assumes that	a single IPv6 address,
	      rather than an IPv6 prefix, has been specified).

       -B SRC_ADDR, --accept-link-src SRC_ADDR

	      This option sets an accept filter	for the	incoming Neighbor  So-
	      licitation  messages,  based on their link-layer Source Address.
	      The option must be followed by a link-layer address (this	option
	      is only valid for	Ethernet interfaces).

       -G DST_ADDR, --accept-link-dst DST_ADDR

	      This  option  sets  an  accept  filter for the incoming packets,
	      based on their link-layer	Destination Address. The  option  must
	      be  followed  by a link-layer address (this option is only valid
	      for Ethernet interfaces).

       --block-target, -w

	      This option sets a block filter for the incoming Neighbor	Solic-
	      itation  messages,  based	on their Target	Address. It allows the
	      specification of an IPv6 prefix  in  the	form  "-w  prefix/pre-
	      fixlen".	If the prefix length is	not specified, a prefix	length
	      of "/128"	is selected (i.e., the option assumes  that  a	single
	      IPv6 address, rather than	an IPv6	prefix,	has been specified).

       --accept-target,	-W

	      This  option  sets a accept filter for the incoming Neighbor So-
	      licitation messages, based on their Target  Address.  It	allows
	      the  specification of an IPv6 prefix in the form "-W prefix/pre-
	      fixlen". If the prefix length is not specified, a	prefix	length
	      of  "/128"  is  selected (i.e., the option assumes that a	single
	      IPv6 address, rather than	an IPv6	prefix,	has been specified).

       --flood-targets,	-T

	      This option instructs the	na6 tool to send  Neighbor  Advertise-
	      ments  for  multiple  Target  Addresses. The number of different
	      Target Addresses is specified as "-T number". The	Target Address
	      of  each	packet is randomly selected from the prefix fe80::/64,
	      unless a different prefix	has been specified  by	means  of  the
	      "-t" option. The IPv6 Source Address of each Neighbor Advertise-
	      ment message is set according to	the  IPv6  address  or	prefix
	      specified	 with  the "-s"	option,	and defaults to	a random link-
	      local unicast address (fe80::/64)	if the "-s" option is left un-
	      specified.

       --flood-sources,	-F

	      This  option instructs the tool to send multiple Neighbor	Adver-
	      tisement messages	with different Source Addresses. The number of
	      different	 sources  is  specified	as "-F number".	The Source Ad-
	      dress of each Neighbor Advertisement is randomly	selected  from
	      the  prefix  specified by	the "-s" option. If the	"-F" option is
	      specified	but the	"-s" option is left  unspecified,  the	Source
	      Address  of  the	packets	 is  randomly selected from the	prefix
	      fe80::/64	(link-local unicast). It should	be  noted  that	 hosts
	      are  required  to	 discard Router	Advertisement messages that do
	      not have a link-local unicast address as the Source Address.

       --loop, -l

	      This option instructs the	na6 tool to send periodic Neighbor Ad-
	      vertisements to the victim node. The amount of time to pause be-
	      tween sending Neighbor Advertisements can	be specified by	 means
	      of the "-z" option, and defaults to 1 second. Note that this op-
	      tion cannot be set in conjunction	with the "-L" ("--listen") op-
	      tion.

       --sleep,	-z

	      This  option specifies the amount	of time	to pause between send-
	      ing Neighbor Solicitations (when the "--loop" option is set). If
	      left unspecified,	it defaults to 1 second.

       --listen, -L

	      This instructs the na6 tool to operate in	passive	mode (possibly
	      after attacking a	given node, if the a-da	or a-Da	 options  were
	      specified).  Note	that this option cannot	be used	in conjunction
	      with the "-l" ("--loop") option.

       --verbose, -v

	      This option instructs the	na6 tool to be verbose.	 When the  op-
	      tion is set twice, the tool is "very verbose", and the tool also
	      informs which packets have been accepted or discarded as	a  re-
	      sult of applying the specified filters.

       --help, -h

	      Print help information for the na6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the na6 tool.

       Example #1

       # na6 -i	eth0 -d	fe80::1	-t 2001:db8::1 -c -o -e

       Use the network interface "eth0"	to send	a Neighbor Advertisement using
       a random	link-local unicast IPv6	Source Address and a  random  Ethernet
       Source Address, to the IPv6 Destination address ffe80::1	and the	Ether-
       net Destination Address 33:33:00:00:00:01 (selected  by	default).  The
       target  of  the	Neighbor Advertisement is 2001:db8::1, and the message
       has both	the "Override" and the "Solicited" flags set. The Neighbor Ad-
       vertisement  also includes a target link-layer address option that con-
       tains the same Ethernet address as that used for	 the  Ethernet	Source
       Address of the packet.

       Example #2

       #  na6  -i eth0 -j fe80::1 -j 2001:db8::/32 -W fe80::/64	-c -o -e -L -v
       -v

       Listen for incoming Neighbor Solicitation  messages  on	the  interface
       "eth0".	Discard	 those messages	that have an IPv6 Source Address equal
       to  fe80::1,  an	 IPv6  Source  Address	that  belongs  to  the	prefix
       2001:db8::/32,  or  a Target Address that does not belong to the	prefix
       fe80::/64. Respond (to those messages that are accepted)	with a	Neigh-
       bor  Advertisement with a randomized Ethernet Source Address and	a ran-
       domized link-local unicast IPv6 Source Address (unless the  Destination
       Address	of  the	Neighbor Solicitation was a unicast address), the IPv6
       Destination Address set to the Source Address of	the incoming  NS  mes-
       sage (unless it was the unspecified address), the Target	Address	set to
       the same	value as the Target Address of the incoming NS,	and  the  "So-
       licited"	and "Override" flags set. Be very verbose ("-v -v" options).

SEE ALSO
       "Security/Robustness  Assessment	of IPv6	Neighbor Discovery Implementa-
       tions"	(available   at:   <http://www.si6networks.com/tools/ipv6tool-
       kit/si6networks-ipv6-nd-assessment.pdf>)	 for  a	discussion of Neighbor
       Discovery vulnerabilities, and additional examples of how  to  use  the
       na6 tool	to exploit them.

AUTHOR
       The  na6	 tool and the corresponding manual pages were produced by Fer-
       nando Gont _fgont@si6networks.com_ for SI6 Networks _http://www.si6net-
       works.com_.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission  is  granted to copy,	distribute and/or modify this document
       under the terms of the GNU Free Documentation License, Version  1.3  or
       any  later  version  published by the Free Software Foundation; with no
       Invariant Sections, no Front-Cover Texts, and no	Back-Cover  Texts.   A
       copy   of   the	 license   is	available  at  _http://www.gnu.org/li-
       censes/fdl.html_.

									NA6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=na6&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help