Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6

57,525 views

Published on

Talk delivered by Chema Alonso in DEFCON 21 about man in the middle attacks using IPv6 with Evil FOCA.

Published in: Technology
2 Comments
12 Likes
Statistics
Notes
No Downloads
Views
Total views
57,525
On SlideShare
0
From Embeds
0
Number of Embeds
44,375
Actions
Shares
0
Downloads
277
Comments
2
Likes
12
Embeds 0
No embeds

No notes for slide

Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6

  1. 1. Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com
  2. 2. Spain is different
  3. 3. Spain is different
  4. 4. Spain is different
  5. 5. Spain is different
  6. 6. ipconfig
  7. 7. IPv6 is on your box!
  8. 8. And it works!: route print
  9. 9. And it works!: ping
  10. 10. And it works!: ping
  11. 11. LLMNR
  12. 12. ICMPv6 (NDP) • No ARP – No ARP Spoofing – Tools anti-ARP Spoofing are useless • Neighbor Discovery Protocol uses ICPMv6 – NS: Neighbor Solicitation – NA: Neighbor Advertisement
  13. 13. And it works!: Neightbors
  14. 14. NS/NA
  15. 15. Level 1: Mitm with NA Spoofing
  16. 16. NA Spoofing
  17. 17. NA Spoofing
  18. 18. Demo 1: Mitm using NA Spoofing and capturng SMB files
  19. 19. Spaniards!
  20. 20. Step 1: Evil FOCA
  21. 21. Step 2: Connect to SMB Server
  22. 22. Step 3: Wireshark
  23. 23. Step 4: Follow TCP Stream
  24. 24. LEVEL 2: SLAAC Attack
  25. 25. ICMPv6: SLAAC • Stateless Address Auto Configuration • Devices ask for routers • Routers public their IPv6 Address • Devices auto-configure IPv6 and Gateway – RS: Router Solicitation – RA: Router Advertisement
  26. 26. Rogue DHCPv6
  27. 27. DNS Autodiscovery
  28. 28. And it works!: Web Browser
  29. 29. Not in all Web Browsers…
  30. 30. Windows Behavior • IPv4 & IPv6 (both fully configured) – DNSv4 queries A & AAAA • IPv6 Only (IPv4 not fully configured) – DNSv6 queries A • IPv6 & IPv4 Local Link – DNSv6 queries AAAA
  31. 31. From A to AAAA
  32. 32. DNS64 & NAT64
  33. 33. Demo 2: 8ttp colon SLAAC SLAAC
  34. 34. Step 1: No AAAA record
  35. 35. Step 2: IPv4 not fully conf. DHCP attack
  36. 36. Step 3: Evil FOCA SLAAC Attack
  37. 37. Step 4: Victim has Internet over IPv6
  38. 38. Level 3: WPAD attack in IPv6
  39. 39. WebProxy AutoDiscovery • Automatic configuation of Web Proxy Servers • Web Browsers search for WPAD DNS record • Connect to Server and download WPAD.pac • Configure HTTP connections through Proxy
  40. 40. WPAD Attack • Evil FOCA configures DNS Answers for WPAD • Configures a Rogue Proxy Server listening in IPv6 network • Re-route all HTTP (IPv6) connections to Internet (IPv4)
  41. 41. Demo 3: WPAD IPv6 Attack
  42. 42. Step 1: Victim searhs for WPAD A record using LLMNR
  43. 43. Step 2: Evil FOCA answers with AAAA
  44. 44. Step 3: Vitim asks (then) for WPAD AAAA Record using LLMNR
  45. 45. Step 4: Evil FOCA confirms WPAD IPv6 address…
  46. 46. Step 5: Victims asks for WPAD.PAC file in EVIL FOCA IPv6 Web Server
  47. 47. Step 6: Evil FOCA Sends WPAD.PAC
  48. 48. Step 7: Evil FOCA starts up a Proxy
  49. 49. Bonus Level
  50. 50. HTTP-s Connections • SSL Strip – Remove “S” from HTTP-s links • SSL Sniff – Use a Fake CA to create dynamicly Fake CA • Bridging HTTP-s – Between Server and Evil FOCA -> HTTP-s – Between Evil FOCA and victim -> HTTP • Evil FOCA does SSL Strip and Briding HTTP-s (so far)
  51. 51. Google Results Page • Evil FOCA will: – Take off Google Redirect – SSL Strip any result
  52. 52. Step 8: Victim searchs Facebook in Google
  53. 53. Step 9: Connects to Facebook
  54. 54. Step 10: Grab password with WireShark
  55. 55. Other Evil FOCA Attacks • MiTM IPv6 – NA Spoofing – SLAAC attack – WPAD (IPv6) – Rogue DHCP • DOS – IPv6 to fake MAC using NA Spoofing (in progress) – SLAAC DOS using RA Storm • MiTM IPv4 – ARP Spoofing – Rogue DHCP (in progress) – DHCP ACK injection – WPAD (IPv4) • DOS IPv4 – Fake MAC to IPv4 • DNS Hijacking
  56. 56. SLAAC D.O.S.
  57. 57. Conclusions • IPv6 is on your box – Configure it or kill it (if possible) • IPv6 is on your network – IPv4 security controls are not enough – Topera (port scanner over IPv6) – Slowloris over IPv6 – Kaspersky POD – Michael Lynn & CISCO GATE – SUDO bug (IPv6) – …
  58. 58. Big Thanks to • THC (The Hacker’s Choice) – Included in Back Track/Kali – Parasite6 – Redir6 – Flood_router6 – ….. • Scappy
  59. 59. Street Fighter “spanish” Vega
  60. 60. Enjoy Evil FOCA • http://www.informatica64.com/evilfoca/ • Next week, Defcon Version at: • http://blog.elevenpaths.com • chema@11paths.com • @chemaalonso

×