Fear the evil foca attacking internet connections with ipv6
Download
1 / 62

Fear the Evil FOCA Attacking Internet Connections with IPv6 - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

Fear the Evil FOCA Attacking Internet Connections with IPv6. Chema Alonso @ chemaAlonso [email protected] Spain is different. Spain is different. Spain is different. Spain is different. ipconfig. IPv6 is on your box!. And it works !: route print. And it works !: ping.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Fear the Evil FOCA Attacking Internet Connections with IPv6' - lona


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Fear the evil foca attacking internet connections with ipv6

FeartheEvil FOCAAttacking Internet ConnectionswithIPv6

Chema Alonso

@chemaAlonso

[email protected]


Spain is different
Spainisdifferent


Spain is different1
Spainisdifferent


Spain is different2
Spainisdifferent


Spain is different3
Spainisdifferent



Ipv6 is on your box
IPv6 isonyour box!


And it works route print
And itworks!: routeprint


And it works ping
And itworks!: ping


And it works ping1
And itworks!: ping



Icmpv6 ndp
ICMPv6 (NDP)

  • No ARP

    • No ARP Spoofing

    • Tools anti-ARP Spoofing are useless

  • NeighborDiscoveryProtocoluses ICPMv6

    • NS: NeighborSolicitation

    • NA: NeighborAdvertisement


And it works n eightbors
And itworks!: Neightbors



Level 1 mitm with na spoofing
Level 1: Mitmwith NA Spoofing


Na spoofing
NA Spoofing


Na spoofing1
NA Spoofing


Demo 1 mitm using na spoofing and capturng smb files

Demo 1: Mitmusing NA Spoofing and capturng SMB files



Step 1 evil foca
Step 1: Evil FOCA


Step 2 connect to smb server
Step 2: Connectto SMB Server


Step 3 wireshark
Step 3: Wireshark


Step 4 follow tcp stream
Step 4: Follow TCP Stream



Icmpv6 slaac
ICMPv6: SLAAC

  • StatelessAddress Auto Configuration

  • Devicesaskforrouters

  • Routerspublictheir IPv6 Address

  • Devices auto-configure IPv6 and Gateway

    • RS: RouterSolicitation

    • RA: RouterAdvertisement


Rogue dhcpv6
Rogue DHCPv6


Dns autodiscovery
DNS Autodiscovery


And it works web browser
And itworks!: Web Browser


Not in all web browsers
Not in all Web Browsers…


Windows behavior
Windows Behavior

  • IPv4 & IPv6 (bothfullyconfigured)

    • DNSv4 queries A & AAAA

  • IPv6 Only (IPv4 notfullyconfigured)

    • DNSv6 queries A

  • IPv6 & IPv4 Local Link

    • DNSv6 queries AAAA


From a to aaaa
From A to AAAA



Demo 2 8ttp colon slaac slaac

Demo 2: 8ttp colonSLAAC SLAAC


Step 1 no aaaa record
Step 1: No AAAA record


Step 2 ipv4 not fully conf dhcp attack
Step 2: IPv4 notfully conf. DHCP attack


Step 3 evil foca slaac attack
Step 3: Evil FOCA SLAAC Attack


Step 4 victim has internet over ipv6
Step 4: Victim has Internet over IPv6


Level 3 wpad attack in ipv6
Level 3: WPAD attack in IPv6


Webproxy autodiscovery
WebProxyAutoDiscovery

  • Automaticconfiguation of Web Proxy Servers

  • Web Browsers searchfor WPAD DNS record

  • Connectto Server and downloadWPAD.pac

  • Configure HTTP connectionsthrough Proxy


Wpad attack
WPAD Attack

  • Evil FOCA configures DNS Answersfor WPAD

  • Configures a Rogue Proxy Server listening in IPv6 network

  • Re-routeall HTTP (IPv6) connectionsto Internet (IPv4)



Step 1 victim searhs for wpad a record using llmnr
Step 1: Victimsearhsfor WPAD A record using LLMNR


Step 2 evil foca answers with aaaa
Step 2: Evil FOCA answerswith AAAA


Step 3 vitim asks then for wpad aaaa record using llmnr
Step 3: Vitimasks (then) for WPAD AAAA Record using LLMNR


Step 4 evil foca confirms wpad ipv6 address
Step 4: Evil FOCA confirms WPAD IPv6 address…


Step 5 victims asks for wpad pac file in evil foca ipv6 web server
Step 5: Victimsasksfor WPAD.PAC file in EVIL FOCA IPv6 Web Server


Step 6 evil foca sends wpad pac
Step 6: Evil FOCA Sends WPAD.PAC


Step 7 evil foca starts up a proxy
Step 7: Evil FOCA starts up a Proxy


Bonus level
BonusLevel


Http s connections
HTTP-s Connections

  • SSL Strip

    • Remove “S” from HTTP-s links

  • SSL Sniff

    • Use a Fake CA tocreatedynamiclyFakeCA

  • Bridging HTTP-s

    • Between Server and Evil FOCA -> HTTP-s

    • BetweenEvil FOCA and victim -> HTTP

  • Evil FOCA does SSL Strip and Briding HTTP-s (so far)


Google results page
Google Results Page

  • Evil FOCA will:

    • Take off Google Redirect

    • SSL Stripanyresult


Step 8 victim searchs facebook in google
Step 8: Victimsearchs Facebook in Google


Step 9 connects to facebook
Step 9: Connectsto Facebook


Step 10 grab password with wireshark
Step 10: GrabpasswordwithWireShark


Other evil foca attacks
OtherEvil FOCA Attacks

  • MiTM IPv6

    • NA Spoofing

    • SLAAC attack

    • WPAD (IPv6)

    • Rogue DHCP

  • DOS

    • IPv6 tofake MAC using NA Spoofing (in progress)

    • SLAAC DOS using RA Storm

  • MiTM IPv4

    • ARP Spoofing

    • Rogue DHCP (in progress)

    • DHCP ACK injection

    • WPAD (IPv4)

  • DOS IPv4

    • Fake MAC to IPv4

  • DNS Hijacking



Conclusions
Conclusions

  • IPv6 isonyour box

    • Configure itorkillit (ifpossible)

  • IPv6 isonyournetwork

    • IPv4 securitycontrols are notenough

    • Topera (port scanner over IPv6)

    • Slowlorisover IPv6

    • Kaspersky POD

    • Michael Lynn & CISCO GATE

    • SUDO bug (IPv6)


Big thanks to
Big Thanksto

  • THC (TheHacker’sChoice)

    • Included in Back Track/Kali

    • Parasite6

    • Redir6

    • Flood_router6

    • …..

  • Scappy


Street fighter spanish vega
Street Fighter “spanish” Vega


Enjoy evil foca
EnjoyEvil FOCA

  • http://www.informatica64.com/evilfoca/

  • Nextweek, DefconVersion at:

  • http://blog.elevenpaths.com

  • [email protected]

  • @chemaalonso


ad