[ipv6hackers] Windows ping6-of-death

Johannes Weber johannes at webernetz.net
Wed Aug 14 13:37:13 CEST 2013


Hey,

I just tried the scapy command from Pierre in my IPv6 laboratory but it has not
crashed the Windows 7 machine (which is of course not yet patched). I saw the RA
with Wireshark on the Windows machine, but no crash.
I also tried the --pod-attack from Fernando, but icmp6 says "unrecognized
option". How should I test this option correctly?

Regards,

Johannes


> Pierre Emeriaud <petrus.lt at gmail.com> hat am 14. August 2013 um 10:49
> geschrieben:
>
>
> 2013/8/14 Fernando Gont <fgont at si6networks.com>:
> >
> > Ironically enough, they are vulnerable to attack because they don't
> > enforce sanity checks, and the ra6 tool of the IPv6-Toolkit cannot
> > exploit this attack because it enforces sanity checks on the Prefix
> > lenghts given by the user. :-)
>
> I tried to send the following frame with scapy. It was sent correctly
> but unfortunately I don't have any Windows boxen to test it:
> >>> sendp(Ether()/IPv6(dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="2001:db8:bad:cafe::",prefixlen=129),
> >>> loop=1, inter=0.5)
>
> The incorrect prefix length was seen on the wire, but I don't know if
> that would be enough to exploit the vuln.
>
>
> Regards,
> Pierre.
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>


More information about the Ipv6hackers mailing list