Skip to content
Dan Robertson edited this page Jul 31, 2017 · 12 revisions

Welcome to the sylkie wiki!

Building

It is recommended that sylkie is build with json and seccomp support. A few examples of the installation of these dependencies are listed below.

Dependencies

Ubuntu

# apt-get install libjson-c-dev libseccomp-dev cmake3

Arch Linux

# pacman -S json-c libseccomp linux-headers git cmake

Gentoo

# emerge --ask json-c libseccomp git cmake

Build Options

Option Description Default
ENABLE_JSON Build sylkie with json support ON
ENABLE_SECCOMP Build sylkie with seccomp support ON
ENABLE_SETUID Install sylkie with the setuid bit set OFF
ENABLE_STATIC Statically link sylkie OFF
BUILD_DOCS Build sylkie doxygen docs OFF
BUILD_TESTS Build the test suite OFF

Build Types

Type Description
Release Standard release build
Debug Standard build with debug info
ASAN Address sanitized build

Build types can be defined with -DCMAKE_BUILD_TYPE=<build type>. For example the following would configure an address sanitized build.

mkdir build
cd ./build
cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=ASAN ..
make
sudo make install

Advanced Usage

How it works

sylkie is a tool for sending forged NDP messages. The following attempts to describe what each subcomand actually does in a little more detail.

router-advert

The router-advert (ra) command attempts to DoS a network by sending "forged" Router Advertisement messages to either a targeted address (if one is provided) or the link local scope all-nodes address ff02::1. The "forged" Router Advertisement contains Prefix Information with the lifetimes set to 0. The message also contains the Source Link-Layer Address. This should cause the targeted address or all link local nodes to remove the targetted router from the list of default routes.

neighbor-advert

The neighbor-advert (na) command attempts to spoof a given address by sending "forged" Neighbor Advertisement message to the targeted address. The "forged" Neighbor Advertisement has the Override Flag set. This advertisement also contains the necessary Target Link-layer Address information set so that the targeted host does not have to query the targeted host for more information before updating the neighbor cache. This should cause the targeted host to update the neighbor cache entry for the given ip address with the given link-layer address.

Becoming the default route

The json and plaintext features becomes especially useful as more information is required or if there is a set of advertisements that need to be configured and sent. For example, the following json config would send two router advertisements on the configured intervals. And would cause the second entry router-ip (fe80::cbed:6822:cd23:bbdb) to become the default route.

{
    "router-advert": [
        {
            "interface": "ens3",
            "target-mac": "0c:c4:7a:6c:cd:54",
            "router-ip": "fe80::ec4:7aff:fe6c:cd54",
            "prefix": 64,
            "repeat": -1,
            "timeout": 5
        },
        {
            "interface": "ens3",
            "target-mac": "52:54:00:c2:a7:7c",
            "router-ip": "fe80::cbed:6822:cd23:bbdb",
            "prefix": 64,
            "lifetime": 600,
            "repeat": -1,
            "timeout": 5
        }
    ]
}

Note the addition of the lifetime parameter for the second entry. Since the value is non-zero hosts will add fe80::cbed:6822:cd23:bbdb as a default route and since they have also removed the "real" default route, fe80::cbed:6822:cd23:bbdb will become the default route (assuming fe80::ec4:7aff:fe6c:cd54 was the only default route on the network)

FAQ

Why write this?

Learning is fun. I didn't know much about The ND protocol so I read RFC 4861 and this seemed like a good way to learn by practice.

How can I protect my IPv6 network from common address spoofing attacks?

RFC 3971