[ipv6hackers] Windows ping6-of-death

Fernando Gont fgont at si6networks.com
Wed Aug 14 20:44:17 CEST 2013 

Hi, Johannes,

On 08/14/2013 11:09 AM, Johannes Weber wrote:
> 
> - I tried frag6 (which has the --pod-attack option), but getting other errors:
> jwe at ipv6-in-pc02:~/ipv6-toolkit-v1.3.4$ sudo frag6 -i eth0 -d ff02::1
> --pod-attack -v
> Couldn't find local router. Now trying Neighbor Discovery for the target node
> Error while performing Neighbor Discovery for the Destination Address

This is a bug in the tool. -- I'll fix it right now 8the tol should
realize that the dest address is a link-local address, so there's no
need to "obtain a router").

In any case: is there an IPv6 router on the local link? -- Some folk had
reported this error a while back (the tool not being able to obtain a
local router, when there *was* one) but I have not been able to get a
hold of him or the last 10 days or so (I've been trying to fix this one).

If there's indeed a local router, I'll update a
ipv6-toolkit-debug.tar.gz which just has a number of puts() in the
relevant function find_router...() so that I can easily tell what's the
sanity check that is causing the RAs to be discarded. Would you mind
helping with that (running the tool and sending me the debug messages)?


P.S.: As a horrible workaround (for the time eing), run the tool with
the -D option as "-D ROUTER_MAC" such that the tool doens't need to
learn the router.


> 
> jwe at ipv6-in-pc02:~/ipv6-toolkit-v1.3.4$ sudo frag6 -i eth0 -d ff02::1 -D
> 33:33:00:00:00:01 --pod-attack -v
> Couldn't find local router. Now trying Neighbor Discovery for the target node
> Error while performing Neighbor Discovery for the Destination Address
> 
> Any ideas?
> 
> - The fuzz(ICMPv6NDOptPrefixInfo()) method works but produces mainly malformed
> IPv6 packets.
> - I tried some other prefixlen values with scapy, but it accepts only values
> between 0..255. So "-1" or "256" cannot be used.

The prefix length filed is one byte long... so such values won't fit there.

 255 does not produce an Win7
> crash, either. Also the prefix cannot be set to an unrealistic value, because
> scapy checks the integrity of the mentioned prefix, i.e.,
> "2001:db8:3:4:5:6:7:8:9::" does not work.

There's no room in the option for that...

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list