Your SlideShare is downloading. ×
0
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6

47,101

Published on

Talk delivered by Chema Alonso in DEFCON 21 about man in the middle attacks using IPv6 with Evil FOCA.

Talk delivered by Chema Alonso in DEFCON 21 about man in the middle attacks using IPv6 with Evil FOCA.

Published in: Technology
2 Comments
7 Likes
Statistics
Notes
No Downloads
Views
Total Views
47,101
On Slideshare
0
From Embeds
0
Number of Embeds
88
Actions
Shares
0
Downloads
232
Comments
2
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com
  • 2. Spain is different
  • 3. Spain is different
  • 4. Spain is different
  • 5. Spain is different
  • 6. ipconfig
  • 7. IPv6 is on your box!
  • 8. And it works!: route print
  • 9. And it works!: ping
  • 10. And it works!: ping
  • 11. LLMNR
  • 12. ICMPv6 (NDP) • No ARP – No ARP Spoofing – Tools anti-ARP Spoofing are useless • Neighbor Discovery Protocol uses ICPMv6 – NS: Neighbor Solicitation – NA: Neighbor Advertisement
  • 13. And it works!: Neightbors
  • 14. NS/NA
  • 15. Level 1: Mitm with NA Spoofing
  • 16. NA Spoofing
  • 17. NA Spoofing
  • 18. Demo 1: Mitm using NA Spoofing and capturng SMB files
  • 19. Spaniards!
  • 20. Step 1: Evil FOCA
  • 21. Step 2: Connect to SMB Server
  • 22. Step 3: Wireshark
  • 23. Step 4: Follow TCP Stream
  • 24. LEVEL 2: SLAAC Attack
  • 25. ICMPv6: SLAAC • Stateless Address Auto Configuration • Devices ask for routers • Routers public their IPv6 Address • Devices auto-configure IPv6 and Gateway – RS: Router Solicitation – RA: Router Advertisement
  • 26. Rogue DHCPv6
  • 27. DNS Autodiscovery
  • 28. And it works!: Web Browser
  • 29. Not in all Web Browsers…
  • 30. Windows Behavior • IPv4 & IPv6 (both fully configured) – DNSv4 queries A & AAAA • IPv6 Only (IPv4 not fully configured) – DNSv6 queries A • IPv6 & IPv4 Local Link – DNSv6 queries AAAA
  • 31. From A to AAAA
  • 32. DNS64 & NAT64
  • 33. Demo 2: 8ttp colon SLAAC SLAAC
  • 34. Step 1: No AAAA record
  • 35. Step 2: IPv4 not fully conf. DHCP attack
  • 36. Step 3: Evil FOCA SLAAC Attack
  • 37. Step 4: Victim has Internet over IPv6
  • 38. Level 3: WPAD attack in IPv6
  • 39. WebProxy AutoDiscovery • Automatic configuation of Web Proxy Servers • Web Browsers search for WPAD DNS record • Connect to Server and download WPAD.pac • Configure HTTP connections through Proxy
  • 40. WPAD Attack • Evil FOCA configures DNS Answers for WPAD • Configures a Rogue Proxy Server listening in IPv6 network • Re-route all HTTP (IPv6) connections to Internet (IPv4)
  • 41. Demo 3: WPAD IPv6 Attack
  • 42. Step 1: Victim searhs for WPAD A record using LLMNR
  • 43. Step 2: Evil FOCA answers with AAAA
  • 44. Step 3: Vitim asks (then) for WPAD AAAA Record using LLMNR
  • 45. Step 4: Evil FOCA confirms WPAD IPv6 address…
  • 46. Step 5: Victims asks for WPAD.PAC file in EVIL FOCA IPv6 Web Server
  • 47. Step 6: Evil FOCA Sends WPAD.PAC
  • 48. Step 7: Evil FOCA starts up a Proxy
  • 49. Bonus Level
  • 50. HTTP-s Connections • SSL Strip – Remove “S” from HTTP-s links • SSL Sniff – Use a Fake CA to create dynamicly Fake CA • Bridging HTTP-s – Between Server and Evil FOCA -> HTTP-s – Between Evil FOCA and victim -> HTTP • Evil FOCA does SSL Strip and Briding HTTP-s (so far)
  • 51. Google Results Page • Evil FOCA will: – Take off Google Redirect – SSL Strip any result
  • 52. Step 8: Victim searchs Facebook in Google
  • 53. Step 9: Connects to Facebook
  • 54. Step 10: Grab password with WireShark
  • 55. Other Evil FOCA Attacks • MiTM IPv6 – NA Spoofing – SLAAC attack – WPAD (IPv6) – Rogue DHCP • DOS – IPv6 to fake MAC using NA Spoofing (in progress) – SLAAC DOS using RA Storm • MiTM IPv4 – ARP Spoofing – Rogue DHCP (in progress) – DHCP ACK injection – WPAD (IPv4) • DOS IPv4 – Fake MAC to IPv4 • DNS Hijacking
  • 56. SLAAC D.O.S.
  • 57. Conclusions • IPv6 is on your box – Configure it or kill it (if possible) • IPv6 is on your network – IPv4 security controls are not enough – Topera (port scanner over IPv6) – Slowloris over IPv6 – Kaspersky POD – Michael Lynn & CISCO GATE – SUDO bug (IPv6) – …
  • 58. Big Thanks to • THC (The Hacker’s Choice) – Included in Back Track/Kali – Parasite6 – Redir6 – Flood_router6 – ….. • Scappy
  • 59. Street Fighter “spanish” Vega
  • 60. Enjoy Evil FOCA • http://www.informatica64.com/evilfoca/ • Next week, Defcon Version at: • http://blog.elevenpaths.com • chema@11paths.com • @chemaalonso

×