Creating Arbitrary IPv6 Header Chains using Chiron

In the previous blog post, an introduction to IPv6 Extension headers was given. In this blog post, I will demonstrate how to use Chiron to construct arbitrary IPv6 Extension header chains.

Using Chiron you can define a list of the IPv6 Extension Headers that comprise the IPv6 header chain. To do so, you can use the following Chiron switches:

-lfE <comma_separated_list_of_headers_to_be_fragmented> Define an arbitrary list of Extension Headers which will be included in the fragmentable part.

-luE <comma_separated_list_of_headers_that_remain_unfragmented> Define an arbitrary list of Extension Headers which will be included in the unfragmentable part.

Note: In this section we will create an unfragmented IPv6 header chain only. Later, we shall also demonstrate how fragmentation is performed in IPv6 and how to create fragmented IPv6 header chains using Chiron.

The supported by Chiron IPv6 Extension Headers are the following:

Header Value	IPv6 Extension Header
0	Hop-by-hop Header
4	IPv4 Header
41	IPv6 Header
43	Routing Header
44	Fragment Extension Header
60	Destination Options Header
Any other value	IPv6 Fake (non-existing) Header

To add an IPv6 Extension header, you just need to use the corresponding header value, as shown in the examples below.

For instance, if you want to add a Destination Options header to perform ping scan (-sn), you can use the following Chiron command:

./chiron_scanner.py eth0 -d 2001:db8:1:1:e633:1ba7:95d0:c943 -sn -luE 60

In the above command:

• eth0 is the network interface to be used by Chiron

• -d <ipv6 address> is the IPv6 address of the target.

• -sn is the network scan to be performed (ping scan)

Similarly, to add a Hop-by-Hop Header and a Destination Options header during a ping scan (-sn), you can use the following Chiron command:

./chiron_scanner.py eth0 -d 2001:db8:1:1:e633:1ba7:95d0:c943 -sn -luE 0,60

To add a Hop-by-Hop and three Destination Options header in a row during a ping scan (-sn), you can just “multiply” the header value with the number of times that you want to include this header in a row in the chain, as follows (please use a capital ‘X’):

./chiron_scanner.py eth0 -d 2001:db8:1:1:e633:1ba7:95d0:c943 -sn -luE 0,3X60

As simple as that.

The packet generated by the above command is depicted in the wireshark screenshot below:

As we can see, we have sent a simple ping request by adding in the IPv6 chain a Hop-by-Hop Extension header and three (3) Destination Option headers.

In the above example, the length of the Destination Option headers is 1 octet of bytes.

However, the length of the Options Headers (Hop-by-Hop and Destination Options), due to their TLV format, can vary arbitrarily. To create lengthy IPv6 Options headers using Chiron (this will become useful later when fragmentation will join the game), you can use the following switch:

-seh <SIZE_OF_EXTHEADERS> the size of the Options Extension header in octets of bytes (default value: 1 octet of byte).

Example:

./chiron_scanner.py eth0 -d fd9e:488f:c9e9:b6fd:a00:27ff:fe10:8fc -sn -luE 60 -seh 3

In the above example, the Destination Options Header is included in the IPv6 chain and its size is 3 octets of bytes (this applies to all Option headers used in the command, i.e. both Hop-by-hop and Destination Options).  The packet is depicted in the wireshark output below:

I guess that you can easily spot the difference.

In the next blog post we will start discussing fragmentation in IPv6.