|PATH6(1)||General Commands Manual||PATH6(1)|
path6 - A versatile IPv6-based traceroute tool
path6 [-d] [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-S LINK_SRC_ADDR] [-D LINK_DST_ADDR] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-r LIMIT] [-p PROBE_TYPE] [-P PAYLOAD_SIZE] [-a DST_PORT] [-X TCP_FLAGS] [-v] [-h]
path6 is an IPv6 traceroute tool, with full support for IPv6 Extension Headers. It is part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for the IPv6 protocols.
path6 takes its parameters as command-line options. Each of the options can be specified with a short name (one character preceded with the hyphen character, as e.g. "-i") or with a long name (a string preceded with two hyphen characters, as e.g. "--interface").
Most of probe packet details can be specified by means of the available options. When TCP or UDP probe packets are employed, the Source Port of the probe packets is used to encode the probe packet number.
The current version of the tool will only print IPv6 addresses and will not try to reverse-map such IPv6 addresses into hostnames.
- -i interface, --interface interface
This option specifies the network interface to be used by the path6 tool. It can be used for overriding the output interface selected based on the local routing table.
- -s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the Source Address of the attack packets. If a prefix is specified, the Source Address is randomly selected from that prefix.
- -d DST_ADDR, --dst-address DST_ADDR
This option specifies the IPv6 Destination Address of the target.
- -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
This option can be used to override the link-layer Source Address of the packets.
- -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
This option can be used to override the link-layer Destination Address of the outgoing packets.
- -y SIZE, --frag-hdr SIZE
This option specifies that the probe packets must be fragmented. The fragment size must be specified as an argument to this option.
- -u HDR_SIZE, --dst-opt-hdr HDR_SIZE
This option specifies that a Destination Options header is to be included in the outgoing packet(s). The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "-u" options.
- -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of the outgoing packet(s). The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "-U" options.
- -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the outgoing packet(s). The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop-by-Hop Options headers may be specified by means of multiple "-H" options.
- -p PROBE_TYPE, --probe-type PROBE_TYPE
This option specifies the protocol to be used for the probe packets. Possible arguments are: "icmp" (for ICMPv6 Echo Request), "tcp" (for TCP), and "udp" (for UDP). If left unspecified, the probe packets default to ICMPv6 Echo Request.
- -P PAYLOAD_SIZE, --payload-size PAYLOAD_SIZE
This option specifies the payload size of the probe packets.
- -o SRC_PORT, --src-port SRC_PORT
This option specifies the TCP/UDP Source Port. If left unspecified, the Source Port is randomized from the range 1024-65535.
- -a DST_PORT, --dst-port DST_PORT
This option specifies the TCP/UDP Destination Port. If left unspecified, the Destination Port defaults to 80 for the TCP case, and a randomized value (in the range 60000-65000) for the UDP case.
- -X TCP_FLAGS, --tcp-flags TCP_FLAGS
This option is used to set specific the TCP flags. The flags are specified as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A" (ACK), "U" (URG), "X" (no flags).
If this option is left unspecified, the ACK bit is set on all probe packets.
- -v, --verbose
This option selects the "verbosity" of the tool. If this option is left unspecified, only minimum information is printed.
- -h, --help
Print help information for the path6 tool.
The following sections illustrate typical use cases of the path6 tool.
# scan6 -i eth0 -L -e -v
Perform host scanning on the local network ("-L" option) using interface "eth0" ("-i" option). Use both ICMPv6 echo requests and unrecognized IPv6 options of type 10xxxxxx (default). Print link-link layer addresses along with IPv6 addresses ("-e" option). Be verbose ("-v" option).
# scan6 -d 2001:db8::/64 --tgt-virtual-machines all --ipv4-host 10.10.10.0/24
Scan for virtual machines (both VirtualBox and vmware) in the prefix 2001:db8::/64. The additional information about the IPv4 prefix employed by the host system is leveraged to reduce the search space.
# scan6 -d 2001:db8::/64 --tgt-ipv4-embedded ipv4-32 --ipv4-host 10.10.10.0/24
Scan for IPv6 addresses of the network 2001:db8::/64 that embed the IPv4 prefix 10.10.10.0/24 (with the 32-bit encoding).
# scan6 -d 2001:db8:0-500:0-1000
Scan for IPv6 addresses of the network 2001:db8::/64, varying the two lowest order 16-bit words of the addresses in the range 0-500 and 0-1000, respectively.
# scan6 -d fc00::/64 --tgt-vendor 'Dell Inc' -p tcp
Scan for network devices manufactured by 'Dell Inc' in the target prefix fc00::/64. The tool will employ TCP segments as the probe packets (rather than the default ICMPv6 echo requests).
draft-ietf-opsec-ipv6-host-scanning (available at: <http://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-in-eal-world>) for a discussion of support of IPv6 packets with extension headers in the IPv6 Internet.
The path6 tool and the corresponding manual pages were produced by Fernando Gont <firstname.lastname@example.org> for SI6 Networks <http://www.si6networks.com>.
Copyright (c) 2014-2015 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.