Fear the evil foca attacking internet connections with ipv6
1 / 62

Fear the Evil FOCA Attacking Internet Connections with IPv6 - PowerPoint PPT Presentation

  • Uploaded on

Fear the Evil FOCA Attacking Internet Connections with IPv6. Chema Alonso @ chemaAlonso [email protected] Spain is different. Spain is different. Spain is different. Spain is different. ipconfig. IPv6 is on your box!. And it works !: route print. And it works !: ping.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Fear the Evil FOCA Attacking Internet Connections with IPv6' - lona

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Fear the evil foca attacking internet connections with ipv6

FeartheEvil FOCAAttacking Internet ConnectionswithIPv6

Chema Alonso


[email protected]

Spain is different

Spain is different1

Spain is different2

Spain is different3

Ipv6 is on your box
IPv6 isonyour box!

And it works route print
And itworks!: routeprint

And it works ping
And itworks!: ping

And it works ping1
And itworks!: ping

Icmpv6 ndp

  • No ARP

    • No ARP Spoofing

    • Tools anti-ARP Spoofing are useless

  • NeighborDiscoveryProtocoluses ICPMv6

    • NS: NeighborSolicitation

    • NA: NeighborAdvertisement

And it works n eightbors
And itworks!: Neightbors

Level 1 mitm with na spoofing
Level 1: Mitmwith NA Spoofing

Na spoofing
NA Spoofing

Na spoofing1
NA Spoofing

Demo 1 mitm using na spoofing and capturng smb files

Demo 1: Mitmusing NA Spoofing and capturng SMB files

Step 1 evil foca
Step 1: Evil FOCA

Step 2 connect to smb server
Step 2: Connectto SMB Server

Step 3 wireshark
Step 3: Wireshark

Step 4 follow tcp stream
Step 4: Follow TCP Stream

Icmpv6 slaac

  • StatelessAddress Auto Configuration

  • Devicesaskforrouters

  • Routerspublictheir IPv6 Address

  • Devices auto-configure IPv6 and Gateway

    • RS: RouterSolicitation

    • RA: RouterAdvertisement

Rogue dhcpv6
Rogue DHCPv6

Dns autodiscovery
DNS Autodiscovery

And it works web browser
And itworks!: Web Browser

Not in all web browsers
Not in all Web Browsers…

Windows behavior
Windows Behavior

  • IPv4 & IPv6 (bothfullyconfigured)

    • DNSv4 queries A & AAAA

  • IPv6 Only (IPv4 notfullyconfigured)

    • DNSv6 queries A

  • IPv6 & IPv4 Local Link

    • DNSv6 queries AAAA

From a to aaaa
From A to AAAA

Demo 2 8ttp colon slaac slaac

Demo 2: 8ttp colonSLAAC SLAAC

Step 1 no aaaa record
Step 1: No AAAA record

Step 2 ipv4 not fully conf dhcp attack
Step 2: IPv4 notfully conf. DHCP attack

Step 3 evil foca slaac attack
Step 3: Evil FOCA SLAAC Attack

Step 4 victim has internet over ipv6
Step 4: Victim has Internet over IPv6

Level 3 wpad attack in ipv6
Level 3: WPAD attack in IPv6

Webproxy autodiscovery

  • Automaticconfiguation of Web Proxy Servers

  • Web Browsers searchfor WPAD DNS record

  • Connectto Server and downloadWPAD.pac

  • Configure HTTP connectionsthrough Proxy

Wpad attack
WPAD Attack

  • Evil FOCA configures DNS Answersfor WPAD

  • Configures a Rogue Proxy Server listening in IPv6 network

  • Re-routeall HTTP (IPv6) connectionsto Internet (IPv4)

Step 1 victim searhs for wpad a record using llmnr
Step 1: Victimsearhsfor WPAD A record using LLMNR

Step 2 evil foca answers with aaaa
Step 2: Evil FOCA answerswith AAAA

Step 3 vitim asks then for wpad aaaa record using llmnr
Step 3: Vitimasks (then) for WPAD AAAA Record using LLMNR

Step 4 evil foca confirms wpad ipv6 address
Step 4: Evil FOCA confirms WPAD IPv6 address…

Step 5 victims asks for wpad pac file in evil foca ipv6 web server
Step 5: Victimsasksfor WPAD.PAC file in EVIL FOCA IPv6 Web Server

Step 6 evil foca sends wpad pac
Step 6: Evil FOCA Sends WPAD.PAC

Step 7 evil foca starts up a proxy
Step 7: Evil FOCA starts up a Proxy

Bonus level

Http s connections
HTTP-s Connections

  • SSL Strip

    • Remove “S” from HTTP-s links

  • SSL Sniff

    • Use a Fake CA tocreatedynamiclyFakeCA

  • Bridging HTTP-s

    • Between Server and Evil FOCA -> HTTP-s

    • BetweenEvil FOCA and victim -> HTTP

  • Evil FOCA does SSL Strip and Briding HTTP-s (so far)

Google results page
Google Results Page

  • Evil FOCA will:

    • Take off Google Redirect

    • SSL Stripanyresult

Step 8 victim searchs facebook in google
Step 8: Victimsearchs Facebook in Google

Step 9 connects to facebook
Step 9: Connectsto Facebook

Step 10 grab password with wireshark
Step 10: GrabpasswordwithWireShark

Other evil foca attacks
OtherEvil FOCA Attacks

  • MiTM IPv6

    • NA Spoofing

    • SLAAC attack

    • WPAD (IPv6)

    • Rogue DHCP

  • DOS

    • IPv6 tofake MAC using NA Spoofing (in progress)

    • SLAAC DOS using RA Storm

  • MiTM IPv4

    • ARP Spoofing

    • Rogue DHCP (in progress)

    • DHCP ACK injection

    • WPAD (IPv4)

  • DOS IPv4

    • Fake MAC to IPv4

  • DNS Hijacking


  • IPv6 isonyour box

    • Configure itorkillit (ifpossible)

  • IPv6 isonyournetwork

    • IPv4 securitycontrols are notenough

    • Topera (port scanner over IPv6)

    • Slowlorisover IPv6

    • Kaspersky POD

    • Michael Lynn & CISCO GATE

    • SUDO bug (IPv6)

Big thanks to
Big Thanksto

  • THC (TheHacker’sChoice)

    • Included in Back Track/Kali

    • Parasite6

    • Redir6

    • Flood_router6

    • …..

  • Scappy

Street fighter spanish vega
Street Fighter “spanish” Vega

Enjoy evil foca
EnjoyEvil FOCA

  • http://www.informatica64.com/evilfoca/

  • Nextweek, DefconVersion at:

  • http://blog.elevenpaths.com

  • [email protected]

  • @chemaalonso