[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Fernando Gont fgont at si6networks.com
Sat Oct 17 00:17:38 CEST 2015

Hi,  Marc,

Long time no hear! -- Comments in-line...

On 10/16/2015 03:47 AM, Marc Heuse wrote:
> I just released thc-ipv6 v3.0 at www.thc.org/thc-ipv6 and
> https://github.com/vanhauser-thc/thc-ipv6

Thanks for making thc-ipv6 available on github!

> Two new tools are included:
>  - fragrouter6: an IDS evasion toolkit which allows you to transparenter
> use nmap -6, thc-ipv6, ipv6 toolkit, OpenVAS etc. transparently while
> evading IDS
>  - connsplit6: splitting up a connection to make analysis more
> difficult. just a proof of concept to show how this is easily done.
> Plus a lot of other new options and features, the CHANGES list is long.
> I released that for the my presentation at GSEC Singapore, "Hiding in
> Complexity". Slides are here:
> http://gsec.hitb.org/materials/sg2015/D3%20-%20Marc%20Heuse%20-%20Hiding%20in%20Complexity.pdf

Nice preso! Somme comments/question/feedback on the slideware:

* Slide #1:

Side comment: for remote scans pentests, the issue is that at time,
employing EHs gets your traffic dropped.

* Slide #9:

Some router implementations, when they receive a packet meant for a node
that has no entry in the Neighbor Cache, they drop the packet, and
engage in Neighbor Discovery. If you really engage into sending one
probe from a different address at a time, chances are that you might get
no response as a result of this.

I should check what I did for frag6 (it sends probes from multiple
sources when assessing the frag id generation scheme)... but I seem to
recall I had to implement some magic to avoid this sort of stuff.

* Slide #13

What do you mean by "splitting connections"?

* Slide #31
What does Windows do when multiple FHs are present?

You say "Resending fragments with different data:
last received is used". But you previously said that Windows doesn't
allow overlaping fragments, so... what would "Resending fragments with
different data" actually mean?

* Slide #39

You say that draft-ietf-6man-oversized-header-chain-09 (now RFC7112!) is
incomplete. What, specifically, are you thinking of? (prohibition of
overlapping fragments is in a different RFC).

* Slide #41
You just flood the local netork with lots of PIOS, just lost of RAs, or


Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list