Fear the evil foca attacking internet connections with ipv6
This presentation is the property of its rightful owner.
Sponsored Links
1 / 62

Fear the Evil FOCA Attacking Internet Connections with IPv6 PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on
  • Presentation posted in: General

Fear the Evil FOCA Attacking Internet Connections with IPv6. Chema Alonso @ chemaAlonso [email protected] Spain is different. Spain is different. Spain is different. Spain is different. ipconfig. IPv6 is on your box!. And it works !: route print. And it works !: ping.

Download Presentation

Fear the Evil FOCA Attacking Internet Connections with IPv6

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Fear the evil foca attacking internet connections with ipv6

FeartheEvil FOCAAttacking Internet ConnectionswithIPv6

Chema Alonso

@chemaAlonso

[email protected]


Spain is different

Spainisdifferent


Spain is different1

Spainisdifferent


Spain is different2

Spainisdifferent


Spain is different3

Spainisdifferent


Ipconfig

ipconfig


Ipv6 is on your box

IPv6 isonyour box!


And it works route print

And itworks!: routeprint


And it works ping

And itworks!: ping


And it works ping1

And itworks!: ping


Llmnr

LLMNR


Icmpv6 ndp

ICMPv6 (NDP)

  • No ARP

    • No ARP Spoofing

    • Tools anti-ARP Spoofing are useless

  • NeighborDiscoveryProtocoluses ICPMv6

    • NS: NeighborSolicitation

    • NA: NeighborAdvertisement


And it works n eightbors

And itworks!: Neightbors


Ns na

NS/NA


Level 1 mitm with na spoofing

Level 1: Mitmwith NA Spoofing


Na spoofing

NA Spoofing


Na spoofing1

NA Spoofing


Demo 1 mitm using na spoofing and capturng smb files

Demo 1: Mitmusing NA Spoofing and capturng SMB files


Spaniards

Spaniards!


Step 1 evil foca

Step 1: Evil FOCA


Step 2 connect to smb server

Step 2: Connectto SMB Server


Step 3 wireshark

Step 3: Wireshark


Step 4 follow tcp stream

Step 4: Follow TCP Stream


Level 2 slaac attack

LEVEL 2: SLAAC Attack


Icmpv6 slaac

ICMPv6: SLAAC

  • StatelessAddress Auto Configuration

  • Devicesaskforrouters

  • Routerspublictheir IPv6 Address

  • Devices auto-configure IPv6 and Gateway

    • RS: RouterSolicitation

    • RA: RouterAdvertisement


Rogue dhcpv6

Rogue DHCPv6


Dns autodiscovery

DNS Autodiscovery


And it works web browser

And itworks!: Web Browser


Not in all web browsers

Not in all Web Browsers…


Windows behavior

Windows Behavior

  • IPv4 & IPv6 (bothfullyconfigured)

    • DNSv4 queries A & AAAA

  • IPv6 Only (IPv4 notfullyconfigured)

    • DNSv6 queries A

  • IPv6 & IPv4 Local Link

    • DNSv6 queries AAAA


From a to aaaa

From A to AAAA


Dns64 nat64

DNS64 & NAT64


Demo 2 8ttp colon slaac slaac

Demo 2: 8ttp colonSLAAC SLAAC


Step 1 no aaaa record

Step 1: No AAAA record


Step 2 ipv4 not fully conf dhcp attack

Step 2: IPv4 notfully conf. DHCP attack


Step 3 evil foca slaac attack

Step 3: Evil FOCA SLAAC Attack


Step 4 victim has internet over ipv6

Step 4: Victim has Internet over IPv6


Level 3 wpad attack in ipv6

Level 3: WPAD attack in IPv6


Webproxy autodiscovery

WebProxyAutoDiscovery

  • Automaticconfiguation of Web Proxy Servers

  • Web Browsers searchfor WPAD DNS record

  • Connectto Server and downloadWPAD.pac

  • Configure HTTP connectionsthrough Proxy


Wpad attack

WPAD Attack

  • Evil FOCA configures DNS Answersfor WPAD

  • Configures a Rogue Proxy Server listening in IPv6 network

  • Re-routeall HTTP (IPv6) connectionsto Internet (IPv4)


Demo 3 wpad ipv6 attack

Demo 3: WPAD IPv6 Attack


Step 1 victim searhs for wpad a record using llmnr

Step 1: Victimsearhsfor WPAD A record using LLMNR


Step 2 evil foca answers with aaaa

Step 2: Evil FOCA answerswith AAAA


Step 3 vitim asks then for wpad aaaa record using llmnr

Step 3: Vitimasks (then) for WPAD AAAA Record using LLMNR


Step 4 evil foca confirms wpad ipv6 address

Step 4: Evil FOCA confirms WPAD IPv6 address…


Step 5 victims asks for wpad pac file in evil foca ipv6 web server

Step 5: Victimsasksfor WPAD.PAC file in EVIL FOCA IPv6 Web Server


Step 6 evil foca sends wpad pac

Step 6: Evil FOCA Sends WPAD.PAC


Step 7 evil foca starts up a proxy

Step 7: Evil FOCA starts up a Proxy


Bonus level

BonusLevel


Http s connections

HTTP-s Connections

  • SSL Strip

    • Remove “S” from HTTP-s links

  • SSL Sniff

    • Use a Fake CA tocreatedynamiclyFakeCA

  • Bridging HTTP-s

    • Between Server and Evil FOCA -> HTTP-s

    • BetweenEvil FOCA and victim -> HTTP

  • Evil FOCA does SSL Strip and Briding HTTP-s (so far)


Google results page

Google Results Page

  • Evil FOCA will:

    • Take off Google Redirect

    • SSL Stripanyresult


Step 8 victim searchs facebook in google

Step 8: Victimsearchs Facebook in Google


Step 9 connects to facebook

Step 9: Connectsto Facebook


Step 10 grab password with wireshark

Step 10: GrabpasswordwithWireShark


Other evil foca attacks

OtherEvil FOCA Attacks

  • MiTM IPv6

    • NA Spoofing

    • SLAAC attack

    • WPAD (IPv6)

    • Rogue DHCP

  • DOS

    • IPv6 tofake MAC using NA Spoofing (in progress)

    • SLAAC DOS using RA Storm

  • MiTM IPv4

    • ARP Spoofing

    • Rogue DHCP (in progress)

    • DHCP ACK injection

    • WPAD (IPv4)

  • DOS IPv4

    • Fake MAC to IPv4

  • DNS Hijacking


Slaac d o s

SLAAC D.O.S.


Conclusions

Conclusions

  • IPv6 isonyour box

    • Configure itorkillit (ifpossible)

  • IPv6 isonyournetwork

    • IPv4 securitycontrols are notenough

    • Topera (port scanner over IPv6)

    • Slowlorisover IPv6

    • Kaspersky POD

    • Michael Lynn & CISCO GATE

    • SUDO bug (IPv6)


Big thanks to

Big Thanksto

  • THC (TheHacker’sChoice)

    • Included in Back Track/Kali

    • Parasite6

    • Redir6

    • Flood_router6

    • …..

  • Scappy


Street fighter spanish vega

Street Fighter “spanish” Vega


Enjoy evil foca

EnjoyEvil FOCA

  • http://www.informatica64.com/evilfoca/

  • Nextweek, DefconVersion at:

  • http://blog.elevenpaths.com

  • [email protected]

  • @chemaalonso


  • Login