Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
NI6(1)			    General Commands Manual			NI6(1)

NAME
       nI6  -  A  security  assessment tool for	attack vectors based on	ICMPv6
       Node Information	messages

SYNOPSIS
       ni6 [-i INTERFACE] [-S  LINK_SRC_ADDR  |	 -R]  [-D  LINK_DST_ADDR]  [-s
       SRC_ADDR[/LEN]  |  -r]  [-d DST_ADDR] [-c HOP_LIMIT] [-y	FRAG_SIZE] [-u
       DST_OPT_HDR_SIZE] [-U  DST_OPT_U_HDR_SIZE]  [-H	HBH_OPT_HDR_SIZE]  [-P
       SIZE | -6 IPV6_ADDR | -4	IPV4_ADDR | -n NAME | -N LEN | -x LEN -o TYPE]
       [-Z SIZE] [-e] [-C ICMP6_CODE] [-q NI_QTYPE] [-X	NI_FLAGS] [-P  SIZE  |
       -w  IPV6_ADDR  |	-W IPV4_ADDR | -a NAME | -A LEN	| -Q LEN -O TYPE] [-E]
       [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR] [-K  LINK_ADDR]  [-b
       PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B LINK_ADDR] [-G LINK_ADDR] [-L | -l]
       [-z] [-v] [-h]

DESCRIPTION
       ni6 allows the assessment of IPv6 implementations with respect to a va-
       riety of	attack vectors based on	ICMPv6 Node Information	messages. This
       tool is part of the SI6 Networks' IPv6 Toolkit: a  security  assessment
       suite for the IPv6 protocols.

       This tool has two modes of operation: "active" and "listening". In "ac-
       tive" mode, the tool attacks a specific target,	while  in  "listening"
       mode  the tool listens to ICMPv6	Node Information Query messages	on the
       local network, and sends	ICMPv6 Node Information	Reply messages in  re-
       sponse  to such traffic.	Active mode is employed	if an IPv6 Destination
       Address is specified. Listening mode is employed	if the "-L" option (or
       its  long  counterpart "--listen") is set. If both an attack target and
       the "-L"	option are specified, the attack is launched against the spec-
       ified target, and then the tool enters listening	mode to	respond	incom-
       ing packets with	TCP segments.

       The tool	supports filtering of incoming packets based on	 the  Ethernet
       Source  Address,	 the Ethernet Destination Address, the IPv6 Source Ad-
       dress, and the IPv6 Destination Address.	 There are two types  of  fil-
       ters:  "block  filters"	and "accept filters". If any "block filter" is
       specified, and the incoming packet matches any of  those	 filters,  the
       message	is discarded (and thus no ICMPv6 NI Reply messages are sent in
       response). If any "accept filter" is specified, incoming	 packets  must
       match  any  of  the specified "accept filters" in order for the tool to
       respond with ICMPv6 NI Reply messages.

OPTIONS
       ni6 takes it parameters as command-line options.	Each  of  the  options
       can be specified	with a short name (one character preceded with the hy-
       phen character, as e.g. "-i") or	with a long name  (a  string  preceded
       with two	hyphen characters, as e.g. "--interface").

       ni6  supports  IPv6 Extension Headers, including	the IPv6 Fragmentation
       Header, which might be of use to	circumvent  layer-2  filtering	and/or
       Network	Intrusion  Detection  Systems  (NIDS). However,	IPv6 extension
       headers are not employed	by default, and	 must  be  explicitly  enabled
       with the	corresponding options.

       -i INTERFACE, --interface INTERFACE
	      This  option  specifies the network interface that the tool will
	      use. If the destination address ("-d" option)  is	 a  link-local
	      address,	or the "listening" ("-L") mode is selected, the	inter-
	      face must	be explicitly specified. The  interface	 may  also  be
	      specified	 along	with  a	destination address, with the "-d" op-
	      tion.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This option specifies the	IPv6 source address (or	 IPv6  prefix)
	      to  be  used for the Source Address of the attack	packets. If an
	      IPv6 prefix is specified,	the IPv6 Source	Address	of the	ICMPv6
	      packets will be randomized from the specified prefix.

	      Note:  When operating in "listening" mode, the Source Address is
	      automatically selected depending on the IPv6 Destination Address
	      of  the  ICMPv6  NI Query	(unless	a specific IPv6	Source Address
	      has been specified with the "-s" option).

       -d DST_ADDR, --dst-address DST_ADDR

	      This option specifies the	IPv6 Destination Address of  the  vic-
	      tim.  It	can be left unspecified	only if	the "-L" option	is se-
	      lected (i.e., if the tool	is to operate in "listening" mode).

	      Note: When operating in "listening" mode,	 the  Destination  Ad-
	      dress is automatically set to the	Source Address of the incoming
	      ICMPv6 NI	Query message.

       --hop-limit, -A

	      This option specifies the	Hop Limit to  be  used	for  the  IPv6
	      packets. It is randomized	by default.

       -y SIZE,	--frag-hdr SIZE

	      This  option  specifies  that the	resulting packet must be frag-
	      mented. The fragment size	must be	specified as  an  argument  to
	      this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included in the resulting	packet.	The extension header size must
	      be specified as an argument to this option (the header is	filled
	      with padding options). Multiple Destination Options headers  may
	      be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This  option  specifies  a  Destination Options header to	be in-
	      cluded in	the "unfragmentable part" of the resulting packet. The
	      header size must be specified as an argument to this option (the
	      header is	filled with padding options). Multiple Destination Op-
	      tions  headers  may  be  specified by means of multiple "-U" op-
	      tions. This option is only valid if the "-y" option is specified
	      (as  the	concept	of "unfragmentable part" only makes sense when
	      fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This option specifies that a Hop-by-Hop Options header is	to  be
	      included in the resulting	packet.	The header size	must be	speci-
	      fied as an argument to this option (the header  is  filled  with
	      padding  options).  Multiple  Hop-by-Hop	Options	headers	may be
	      specified	by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This option specifies the	link-layer Source Address of  the  TCP
	      segments.	 If left unspecified, the link-layer Source Address is
	      set to the real link-layer address of the	network	interface.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This option specifies the	link-layer Destination Address of  the
	      ICMPv6  NI  packets.  By default,	the link-layer Destination Ad-
	      dress is automatically set to the	link-layer address of the des-
	      tination host (for on-link destinations) or to the link-layer of
	      the first-hop router.

       --payload-size, -P

	      This options specifies the size (in bytes) of the	ICMPv6 NI pay-
	      load.

       --subject-ipv6, -6

	      This  option specifies an	IPv6 Address to	be used	as the Subject
	      of ICMPv6	Node Information Query messages.

       --subject-ipv4, -4

	      This option specifies an IPv4 Address to be used as the  Subject
	      of ICMPv6	Node Information Query messages.

       --subject-name, -n

	      This option specifies a Name to be used as the Subject of	ICMPv6
	      Node Information Query messages. By default, the specified  name
	      is  considered  to  be  a	 Fully-Qualified  Domain  Name (FQDN).
	      Please consult the "--sname-slabel" option for  instructions  on
	      how to specify "single-label" names.

       --subject-fname,	-N

	      This  option instructs the ni6 tool to set the Subject of	ICMPv6
	      NI Query messages	to a forged  name of the specified length.

	      Note: The	forged name is a sequence of labels of 'a' characters,
	      with  the	 maximum  label	 size  being specified by means	of the
	      "--max-label-size" option.

       --subject-ename,	-x

	      This option instructs the	ni6 tool to  set  the  Subject	of  an
	      ICMPv6  NI  Query	 message to a malformed	label of the specified
	      length. This option is useful for	including  a  malformed	 label
	      that "spans past the end of the ICMPv6 NI	Query".

       --subject-nloop,	-O

	      This  option  specifies  that  the Data field should be set to a
	      Name that	contains a DNS compression  loop.  The	loop  type  is
	      specified	with this option, with valid values being in the range
	      0-1.

       --sname-slabel, -e

	      This option specifies that the specified Subject Name is a  sin-
	      gle-label	 name, and hence should	be terminated with two (rather
	      than one)	NULL labels.

       --max-label-size, -Z

	      This option specifies the	maximum	Name label size.  It  defaults
	      to 63.

       --code, -C

	      This  option specified the ICMPv6	code. For ICMPv6 NI Query mes-
	      sages, if	specific Subject type is specified, the	ICMPv6 code is
	      automatically set	to the corresponding value.

       --qtype,	-q

	      This option specifies the	Qtype value of ICMPv6 NI messages. For
	      ICMPv6 NI	Reply messages,	if specific Data  type	is  specified,
	      the  ICMPv6  Qtype  is  automatically  set  to the corresponding
	      value.

       --flags,	-X

	      This option specified the	"Flags"	field of the  ICMPv6  NI  mes-
	      sages.

	      For  ICMPv6  NI Query messages of	Qtype 3	(Node IPv6 Addresses),
	      the "Flags" field	defaults to "GSLCA". For ICMPv6	NI Query  mes-
	      sages  of	 Qtype	4 (Node	IPv4 Addresses), the "Flags" field de-
	      faults to	"A". For other ICMPv6 NI Query messages	it defaults to
	      0.   For ICMPv6 Reply messages, the "Flags" field	is copied from
	      the corresponding	ICMPv6 NI Query	message.

       --data-ipv6, -w

	      This option specifies an IPv6 Address to be used as the Data  of
	      ICMPv6 Node Information Reply messages.

       --data-ipv4, -W

	      This  option specifies an	IPv4 Address to	be used	as the Data of
	      ICMPv6 Node Information Reply messages.

       --data-name, -a

	      This option specifies a Name to be used as the  Data  of	ICMPv6
	      Node  Information	Reply messages.	By default, the	specified name
	      is considered  to	 be  a	Fully-Qualified	 Domain	 Name  (FQDN).
	      Please  consult  the "--dname-slabel" option for instructions on
	      how to specify "single-label" names.

       --data-fname, -A

	      This option instructs the	ni6 tool to set	the Data of the	ICMPv6
	      NI Reply messages	to a forged  name of the specified length.

	      Note: The	forged name is a sequence of labels of 'a' characters,
	      with the maximum label size being	 specified  by	means  of  the
	      "--max-label-size" option.

       --data-ename, -Q

	      This  option instructs the ni6 tool to set the Data of ICMPv6 NI
	      Reply messages to	a malformed label  of  the  specified  length.
	      This  option  is	useful	for  including	a malformed label that
	      "spans past the end of the ICMPv6	NI Reply".

       --data-nloop, -O

	      This option specifies that the Data field	should	be  set	 to  a
	      Name  that  contains  a  DNS  compression	loop. The loop type is
	      specified	with this option, with valid values being in the range
	      0-2.

       --dname-slabel, -E

	      This  option  specifies  that  the specified Data	Name is	a sin-
	      gle-label	name, and hence	should be terminated with two  (rather
	      than one)	NULL labels.

       -j SRC_ADDR, --block-src	SRC_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their IPv6 Source Address. It allows the specification	of  an
	      IPv6  prefix  in	the  form "-j prefix/prefixlen". If the	prefix
	      length is	not specified, a prefix	length of "/128"  is  selected
	      (i.e.,  the  option  assumes  that a single IPv6 address,	rather
	      than an IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst	DST_ADDR

	      This option sets a block filter for the incoming Neighbor	Solic-
	      itation  messages,  based	 on their IPv6 Destination Address. It
	      allows the specification of an IPv6 prefix in the	form "-k  pre-
	      fix/prefixlen".  If the prefix length is not specified, a	prefix
	      length of	"/128" is selected (i.e., the option  assumes  that  a
	      single IPv6 address, rather than an IPv6 prefix, has been	speci-
	      fied).

       -J SRC_ADDR, --block-link-src SRC_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on  their	link-layer Source Address. The option must be followed
	      by a link-layer address (this option is only valid for  Ethernet
	      interfaces).

       -K DST_ADDR, --block-link-dst DST_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their link-layer Destination Address. The option must be fol-
	      lowed  by	 a  link-layer	address	(this option is	only valid for
	      Ethernet interfaces).

       -b SRC_ADDR, --accept-src SRC_ADDR

	      This option sets an accept  filter  for  the  incoming  packets,
	      based  on	their IPv6 Source Address. It allows the specification
	      of an IPv6 prefix	in the form "-b	prefix/prefixlen". If the pre-
	      fix  length  is  not specified, a	prefix length of "/128"	is se-
	      lected (i.e., the	option assumes that  a	single	IPv6  address,
	      rather than an IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

	      This option sets a accept	filter for the incoming	packets, based
	      on their IPv6 Destination	Address. It allows  the	 specification
	      of an IPv6 prefix	in the form "-g	prefix/prefixlen". If the pre-
	      fix length is not	specified, a prefix length of  "/128"  is  se-
	      lected  (i.e.,  the  option  assumes that	a single IPv6 address,
	      rather than an IPv6 prefix, has been specified).

       -B SRC_ADDR, --accept-link-src SRC_ADDR

	      This option sets an accept filter	for the	incoming Neighbor  So-
	      licitation  messages,  based on their link-layer Source Address.
	      The option must be followed by a link-layer address (this	option
	      is only valid for	Ethernet interfaces).

       -G DST_ADDR, --accept-link-dst DST_ADDR

	      This  option  sets  an  accept  filter for the incoming packets,
	      based on their link-layer	Destination Address. The  option  must
	      be  followed  by a link-layer address (this option is only valid
	      for Ethernet interfaces).

       --forge-src-addr, -r

	      This option instructs the	ni6 tool to forge the IPv6 Source  Ad-
	      dress of ICMPv6 NI messages. Note	that when operating in listen-
	      ing mode,	unless this tool is  set,  ni6	will  not  impersonate
	      other nodes.

       --forge-link-src-addr, -R

	      This  option  instructs  the  ni6	 tool  to forge	the link-layer
	      Source Address of	ICMPv6 NI messages.

	      Note: Some interface cards (or their corresponding drivers)  may
	      silently discard packets that contain a forged link-layer	Source
	      Address.

       --loop, -l

	      This option instructs the	tcp6 tool to send  periodic  TCP  seg-
	      ments  to	 the  victim node. The amount of time to pause between
	      sending TCP segments can be specified by means of	the  "-z"  op-
	      tion,  and defaults to 1 second. Note that this option cannot be
	      set in conjunction with the "-L" ("--listen") option.

       --sleep,	-z

	      This option specifies the	amount of time to pause	between	 send-
	      ing  ICMPv6  Node	 Information Query messages (when the "--loop"
	      option is	set). If left unspecified, it defaults to 1 second.

       --listen, -L

	      This instructs the ni6 tool to operate in	listening mode (possi-
	      bly  after  attacking a specified	target). Note that this	option
	      cannot be	used in	conjunction with the "-l" ("--loop") option.

       --verbose, -v

	      This option instructs the	ni6 tool to be verbose.	 When the  op-
	      tion is set twice, the tool is "very verbose", and the tool also
	      informs which packets have been discarded	as a result of	apply-
	      ing the specified	filters.

       --help, -h

	      Print help information for the ni6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the ni6 tool.

       Example #1

       # ni6 -i	eth0 --subject-ipv6 ff02::1 -d ff02::1 -q 2 -v

       Send  an	ICMPv6 Node Information	Query to the multicast address ff02::1
       ("-d" option), with  a  Subject	IPv6  Address  of  "ff02::1"  ("--sub-
       ject-ipv6" option), querying for	Node names ("-q" option). Be verbose.

       Example #2

       # ni6 -i	eth0 --data-fname 1000 -L --forge-src-addr -v

       Listen  to incoming ICMPv6 Node Information Query messages querying for
       node names, and respond with ICMPv6 NI Reply messages  that  contain  a
       forged name of 700 bytes. Forge the IPv6	Source Address of the packets.
       Be verbose.

AUTHOR
       The ni6 tool and	the corresponding manual pages were produced  by  Fer-
       nando Gont _fgont@si6networks.com_ for SI6 Networks _http://www.si6net-
       works.com_.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission is granted to	copy, distribute and/or	modify	this  document
       under  the  terms of the	GNU Free Documentation License,	Version	1.3 or
       any later version published by the Free Software	 Foundation;  with  no
       Invariant  Sections,  no	Front-Cover Texts, and no Back-Cover Texts.  A
       copy  of	 the   license	 is   available	  at   _http://www.gnu.org/li-
       censes/fdl.html_.

									NI6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ni6&sektion=1&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help