[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Diego Gonzalez diegof.gonzalezd at gmail.com
Sat Oct 17 04:17:00 CEST 2015 

Marc and Fernando, Two masters, thanks for the valuable contributions and
Tools of ipv6
El 16/10/2015 8:41 p. m., "Fernando Gont" <fgont at si6networks.com> escribió:

> Hi,  Marc,
>
> Long time no hear! -- Comments in-line...
>
> On 10/16/2015 03:47 AM, Marc Heuse wrote:
> >
> > I just released thc-ipv6 v3.0 at www.thc.org/thc-ipv6 and
> > https://github.com/vanhauser-thc/thc-ipv6
>
> Thanks for making thc-ipv6 available on github!
>
>
>
> > Two new tools are included:
> >  - fragrouter6: an IDS evasion toolkit which allows you to transparenter
> > use nmap -6, thc-ipv6, ipv6 toolkit, OpenVAS etc. transparently while
> > evading IDS
> >  - connsplit6: splitting up a connection to make analysis more
> > difficult. just a proof of concept to show how this is easily done.
> > Plus a lot of other new options and features, the CHANGES list is long.
> >
> > I released that for the my presentation at GSEC Singapore, "Hiding in
> > Complexity". Slides are here:
> >
> http://gsec.hitb.org/materials/sg2015/D3%20-%20Marc%20Heuse%20-%20Hiding%20in%20Complexity.pdf
>
> Nice preso! Somme comments/question/feedback on the slideware:
>
> * Slide #1:
>
> Side comment: for remote scans pentests, the issue is that at time,
> employing EHs gets your traffic dropped.
>
> * Slide #9:
>
> Some router implementations, when they receive a packet meant for a node
> that has no entry in the Neighbor Cache, they drop the packet, and
> engage in Neighbor Discovery. If you really engage into sending one
> probe from a different address at a time, chances are that you might get
> no response as a result of this.
>
> I should check what I did for frag6 (it sends probes from multiple
> sources when assessing the frag id generation scheme)... but I seem to
> recall I had to implement some magic to avoid this sort of stuff.
>
> * Slide #13
>
> What do you mean by "splitting connections"?
>
>
> * Slide #31
> What does Windows do when multiple FHs are present?
>
> You say "Resending fragments with different data:
> last received is used". But you previously said that Windows doesn't
> allow overlaping fragments, so... what would "Resending fragments with
> different data" actually mean?
>
> * Slide #39
>
> You say that draft-ietf-6man-oversized-header-chain-09 (now RFC7112!) is
> incomplete. What, specifically, are you thinking of? (prohibition of
> overlapping fragments is in a different RFC).
>
>
> * Slide #41
> You just flood the local netork with lots of PIOS, just lost of RAs, or
> what?
>
>
> Thanks!
>
> Cheers,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

More information about the Ipv6hackers mailing list