Fear the Evil FOCA Attacking Internet Connections with IPv6 - PowerPoint PPT Presentation

Fear the evil foca attacking internet connections with ipv6
1 / 62

  • Uploaded on
  • Presentation posted in: General

Fear the Evil FOCA Attacking Internet Connections with IPv6. Chema Alonso @ chemaAlonso chema@11paths.com. Spain is different. Spain is different. Spain is different. Spain is different. ipconfig. IPv6 is on your box!. And it works !: route print. And it works !: ping.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Fear the Evil FOCA Attacking Internet Connections with IPv6

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Fear the evil foca attacking internet connections with ipv6

FeartheEvil FOCAAttacking Internet ConnectionswithIPv6

Chema Alonso



Spain is different


Spain is different1


Spain is different2


Spain is different3




Ipv6 is on your box

IPv6 isonyour box!

And it works route print

And itworks!: routeprint

And it works ping

And itworks!: ping

And it works ping1

And itworks!: ping



Icmpv6 ndp


  • No ARP

    • No ARP Spoofing

    • Tools anti-ARP Spoofing are useless

  • NeighborDiscoveryProtocoluses ICPMv6

    • NS: NeighborSolicitation

    • NA: NeighborAdvertisement

And it works n eightbors

And itworks!: Neightbors

Ns na


Level 1 mitm with na spoofing

Level 1: Mitmwith NA Spoofing

Na spoofing

NA Spoofing

Na spoofing1

NA Spoofing

Demo 1 mitm using na spoofing and capturng smb files

Demo 1: Mitmusing NA Spoofing and capturng SMB files



Step 1 evil foca

Step 1: Evil FOCA

Step 2 connect to smb server

Step 2: Connectto SMB Server

Step 3 wireshark

Step 3: Wireshark

Step 4 follow tcp stream

Step 4: Follow TCP Stream

Level 2 slaac attack


Icmpv6 slaac


  • StatelessAddress Auto Configuration

  • Devicesaskforrouters

  • Routerspublictheir IPv6 Address

  • Devices auto-configure IPv6 and Gateway

    • RS: RouterSolicitation

    • RA: RouterAdvertisement

Rogue dhcpv6

Rogue DHCPv6

Dns autodiscovery

DNS Autodiscovery

And it works web browser

And itworks!: Web Browser

Not in all web browsers

Not in all Web Browsers…

Windows behavior

Windows Behavior

  • IPv4 & IPv6 (bothfullyconfigured)

    • DNSv4 queries A & AAAA

  • IPv6 Only (IPv4 notfullyconfigured)

    • DNSv6 queries A

  • IPv6 & IPv4 Local Link

    • DNSv6 queries AAAA

From a to aaaa

From A to AAAA

Dns64 nat64

DNS64 & NAT64

Demo 2 8ttp colon slaac slaac

Demo 2: 8ttp colonSLAAC SLAAC

Step 1 no aaaa record

Step 1: No AAAA record

Step 2 ipv4 not fully conf dhcp attack

Step 2: IPv4 notfully conf. DHCP attack

Step 3 evil foca slaac attack

Step 3: Evil FOCA SLAAC Attack

Step 4 victim has internet over ipv6

Step 4: Victim has Internet over IPv6

Level 3 wpad attack in ipv6

Level 3: WPAD attack in IPv6

Webproxy autodiscovery


  • Automaticconfiguation of Web Proxy Servers

  • Web Browsers searchfor WPAD DNS record

  • Connectto Server and downloadWPAD.pac

  • Configure HTTP connectionsthrough Proxy

Wpad attack

WPAD Attack

  • Evil FOCA configures DNS Answersfor WPAD

  • Configures a Rogue Proxy Server listening in IPv6 network

  • Re-routeall HTTP (IPv6) connectionsto Internet (IPv4)

Demo 3 wpad ipv6 attack

Demo 3: WPAD IPv6 Attack

Step 1 victim searhs for wpad a record using llmnr

Step 1: Victimsearhsfor WPAD A record using LLMNR

Step 2 evil foca answers with aaaa

Step 2: Evil FOCA answerswith AAAA

Step 3 vitim asks then for wpad aaaa record using llmnr

Step 3: Vitimasks (then) for WPAD AAAA Record using LLMNR

Step 4 evil foca confirms wpad ipv6 address

Step 4: Evil FOCA confirms WPAD IPv6 address…

Step 5 victims asks for wpad pac file in evil foca ipv6 web server

Step 5: Victimsasksfor WPAD.PAC file in EVIL FOCA IPv6 Web Server

Step 6 evil foca sends wpad pac

Step 6: Evil FOCA Sends WPAD.PAC

Step 7 evil foca starts up a proxy

Step 7: Evil FOCA starts up a Proxy

Bonus level


Http s connections

HTTP-s Connections

  • SSL Strip

    • Remove “S” from HTTP-s links

  • SSL Sniff

    • Use a Fake CA tocreatedynamiclyFakeCA

  • Bridging HTTP-s

    • Between Server and Evil FOCA -> HTTP-s

    • BetweenEvil FOCA and victim -> HTTP

  • Evil FOCA does SSL Strip and Briding HTTP-s (so far)

Google results page

Google Results Page

  • Evil FOCA will:

    • Take off Google Redirect

    • SSL Stripanyresult

Step 8 victim searchs facebook in google

Step 8: Victimsearchs Facebook in Google

Step 9 connects to facebook

Step 9: Connectsto Facebook

Step 10 grab password with wireshark

Step 10: GrabpasswordwithWireShark

Other evil foca attacks

OtherEvil FOCA Attacks

  • MiTM IPv6

    • NA Spoofing

    • SLAAC attack

    • WPAD (IPv6)

    • Rogue DHCP

  • DOS

    • IPv6 tofake MAC using NA Spoofing (in progress)

    • SLAAC DOS using RA Storm

  • MiTM IPv4

    • ARP Spoofing

    • Rogue DHCP (in progress)

    • DHCP ACK injection

    • WPAD (IPv4)

  • DOS IPv4

    • Fake MAC to IPv4

  • DNS Hijacking

Slaac d o s




  • IPv6 isonyour box

    • Configure itorkillit (ifpossible)

  • IPv6 isonyournetwork

    • IPv4 securitycontrols are notenough

    • Topera (port scanner over IPv6)

    • Slowlorisover IPv6

    • Kaspersky POD

    • Michael Lynn & CISCO GATE

    • SUDO bug (IPv6)

Big thanks to

Big Thanksto

  • THC (TheHacker’sChoice)

    • Included in Back Track/Kali

    • Parasite6

    • Redir6

    • Flood_router6

    • …..

  • Scappy

Street fighter spanish vega

Street Fighter “spanish” Vega

Enjoy evil foca

EnjoyEvil FOCA

  • http://www.informatica64.com/evilfoca/

  • Nextweek, DefconVersion at:

  • http://blog.elevenpaths.com

  • chema@11paths.com

  • @chemaalonso

  • Login