1 / 62

Fear the Evil FOCA Attacking Internet Connections with IPv6

Fear the Evil FOCA Attacking Internet Connections with IPv6. Chema Alonso @ chemaAlonso chema@11paths.com. Spain is different. Spain is different. Spain is different. Spain is different. ipconfig. IPv6 is on your box!. And it works !: route print. And it works !: ping.

lona
Download Presentation

Fear the Evil FOCA Attacking Internet Connections with IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FeartheEvil FOCAAttacking Internet ConnectionswithIPv6 Chema Alonso @chemaAlonso chema@11paths.com

  2. Spainisdifferent

  3. Spainisdifferent

  4. Spainisdifferent

  5. Spainisdifferent

  6. ipconfig

  7. IPv6 isonyour box!

  8. And itworks!: routeprint

  9. And itworks!: ping

  10. And itworks!: ping

  11. LLMNR

  12. ICMPv6 (NDP) • No ARP • No ARP Spoofing • Tools anti-ARP Spoofing are useless • NeighborDiscoveryProtocoluses ICPMv6 • NS: NeighborSolicitation • NA: NeighborAdvertisement

  13. And itworks!: Neightbors

  14. NS/NA

  15. Level 1: Mitmwith NA Spoofing

  16. NA Spoofing

  17. NA Spoofing

  18. Demo 1: Mitmusing NA Spoofing and capturng SMB files

  19. Spaniards!

  20. Step 1: Evil FOCA

  21. Step 2: Connectto SMB Server

  22. Step 3: Wireshark

  23. Step 4: Follow TCP Stream

  24. LEVEL 2: SLAAC Attack

  25. ICMPv6: SLAAC • StatelessAddress Auto Configuration • Devicesaskforrouters • Routerspublictheir IPv6 Address • Devices auto-configure IPv6 and Gateway • RS: RouterSolicitation • RA: RouterAdvertisement

  26. Rogue DHCPv6

  27. DNS Autodiscovery

  28. And itworks!: Web Browser

  29. Not in all Web Browsers…

  30. Windows Behavior • IPv4 & IPv6 (bothfullyconfigured) • DNSv4 queries A & AAAA • IPv6 Only (IPv4 notfullyconfigured) • DNSv6 queries A • IPv6 & IPv4 Local Link • DNSv6 queries AAAA

  31. From A to AAAA

  32. DNS64 & NAT64

  33. Demo 2: 8ttp colonSLAAC SLAAC

  34. Step 1: No AAAA record

  35. Step 2: IPv4 notfully conf. DHCP attack

  36. Step 3: Evil FOCA SLAAC Attack

  37. Step 4: Victim has Internet over IPv6

  38. Level 3: WPAD attack in IPv6

  39. WebProxyAutoDiscovery • Automaticconfiguation of Web Proxy Servers • Web Browsers searchfor WPAD DNS record • Connectto Server and downloadWPAD.pac • Configure HTTP connectionsthrough Proxy

  40. WPAD Attack • Evil FOCA configures DNS Answersfor WPAD • Configures a Rogue Proxy Server listening in IPv6 network • Re-routeall HTTP (IPv6) connectionsto Internet (IPv4)

  41. Demo 3: WPAD IPv6 Attack

  42. Step 1: Victimsearhsfor WPAD A record using LLMNR

  43. Step 2: Evil FOCA answerswith AAAA

  44. Step 3: Vitimasks (then) for WPAD AAAA Record using LLMNR

  45. Step 4: Evil FOCA confirms WPAD IPv6 address…

  46. Step 5: Victimsasksfor WPAD.PAC file in EVIL FOCA IPv6 Web Server

  47. Step 6: Evil FOCA Sends WPAD.PAC

  48. Step 7: Evil FOCA starts up a Proxy

More Related