[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions
fgont at si6networks.com
Sat Oct 17 00:17:38 CEST 2015
Long time no hear! -- Comments in-line...
On 10/16/2015 03:47 AM, Marc Heuse wrote:
> I just released thc-ipv6 v3.0 at www.thc.org/thc-ipv6 and
Thanks for making thc-ipv6 available on github!
> Two new tools are included:
> - fragrouter6: an IDS evasion toolkit which allows you to transparenter
> use nmap -6, thc-ipv6, ipv6 toolkit, OpenVAS etc. transparently while
> evading IDS
> - connsplit6: splitting up a connection to make analysis more
> difficult. just a proof of concept to show how this is easily done.
> Plus a lot of other new options and features, the CHANGES list is long.
> I released that for the my presentation at GSEC Singapore, "Hiding in
> Complexity". Slides are here:
Nice preso! Somme comments/question/feedback on the slideware:
* Slide #1:
Side comment: for remote scans pentests, the issue is that at time,
employing EHs gets your traffic dropped.
* Slide #9:
Some router implementations, when they receive a packet meant for a node
that has no entry in the Neighbor Cache, they drop the packet, and
engage in Neighbor Discovery. If you really engage into sending one
probe from a different address at a time, chances are that you might get
no response as a result of this.
I should check what I did for frag6 (it sends probes from multiple
sources when assessing the frag id generation scheme)... but I seem to
recall I had to implement some magic to avoid this sort of stuff.
* Slide #13
What do you mean by "splitting connections"?
* Slide #31
What does Windows do when multiple FHs are present?
You say "Resending fragments with different data:
last received is used". But you previously said that Windows doesn't
allow overlaping fragments, so... what would "Resending fragments with
different data" actually mean?
* Slide #39
You say that draft-ietf-6man-oversized-header-chain-09 (now RFC7112!) is
incomplete. What, specifically, are you thinking of? (prohibition of
overlapping fragments is in a different RFC).
* Slide #41
You just flood the local netork with lots of PIOS, just lost of RAs, or
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers