Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema

Published byJonathon Tarr Modified over 9 years ago

Similar presentations

Presentation on theme: "Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema"— Presentation transcript:

1 Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com

2 Spain is different

3

4

5

6

7 ipconfig

8 IPv6 is on your box!

9 And it works!: route print

10 And it works!: ping

11

12 LLMNR

13 ICMPv6 (NDP) No ARP – No ARP Spoofing – Tools anti-ARP Spoofing are useless Neighbor Discovery Protocol uses ICPMv6 – NS: Neighbor Solicitation – NA: Neighbor Advertisement

14 And it works!: Neightbors

15 NS/NA

16 Level 1: Mitm with NA Spoofing

17 NA Spoofing

18

19 Demo 1: Mitm using NA Spoofing and capturng SMB files

20 Spaniards!

21

22 Step 1: Evil FOCA

23 Step 2: Connect to SMB Server

24 Step 3: Wireshark

25 Step 4: Follow TCP Stream

26 LEVEL 2: SLAAC Attack

27 ICMPv6: SLAAC Stateless Address Auto Configuration Devices ask for routers Routers public their IPv6 Address Devices auto-configure IPv6 and Gateway – RS: Router Solicitation – RA: Router Advertisement

28 Rogue DHCPv6

29 DNS Autodiscovery

30 And it works!: Web Browser

31 Not in all Web Browsers…

32 Windows Behavior IPv4 & IPv6 (both fully configured) – DNSv4 queries A & AAAA IPv6 Only (IPv4 not fully configured) – DNSv6 queries A IPv6 & IPv4 Local Link – DNSv6 queries AAAA

33 From A to AAAA

34 DNS64 & NAT64

35 Demo 2: 8ttp colon SLAAC SLAAC

36 Step 1: No AAAA record

37 Step 2: IPv4 not fully conf. DHCP attack

38 Step 3: Evil FOCA SLAAC Attack

39 Step 4: Victim has Internet over IPv6

40 Level 3: WPAD attack in IPv6

41 WebProxy AutoDiscovery Automatic configuation of Web Proxy Servers Web Browsers search for WPAD DNS record Connect to Server and download WPAD.pac Configure HTTP connections through Proxy

42 WPAD Attack Evil FOCA configures DNS Answers for WPAD Configures a Rogue Proxy Server listening in IPv6 network Re-route all HTTP (IPv6) connections to Internet (IPv4)

43 Demo 3: WPAD IPv6 Attack

44 Step 1: Victim searhs for WPAD A record using LLMNR

45 Step 2: Evil FOCA answers with AAAA

46 Step 3: Vitim asks (then) for WPAD AAAA Record using LLMNR

47 Step 4: Evil FOCA confirms WPAD IPv6 address…

48 Step 5: Victims asks for WPAD.PAC file in EVIL FOCA IPv6 Web Server

49 Step 6: Evil FOCA Sends WPAD.PAC

50 Step 7: Evil FOCA starts up a Proxy

51 Bonus Level

52 HTTP-s Connections SSL Strip – Remove “S” from HTTP-s links SSL Sniff – Use a Fake CA to create dynamicly Fake CA Bridging HTTP-s – Between Server and Evil FOCA -> HTTP-s – Between Evil FOCA and victim -> HTTP Evil FOCA does SSL Strip and Briding HTTP-s (so far)

53 Google Results Page Evil FOCA will: – Take off Google Redirect – SSL Strip any result

54 Step 8: Victim searchs Facebook in Google

55 Step 9: Connects to Facebook

56 Step 10: Grab password with WireShark

57 Other Evil FOCA Attacks MiTM IPv6 – NA Spoofing – SLAAC attack – WPAD (IPv6) – Rogue DHCP DOS – IPv6 to fake MAC using NA Spoofing (in progress) – SLAAC DOS using RA Storm MiTM IPv4 – ARP Spoofing – Rogue DHCP (in progress) – DHCP ACK injection – WPAD (IPv4) DOS IPv4 – Fake MAC to IPv4 DNS Hijacking

58 SLAAC D.O.S.

59 Conclusions IPv6 is on your box – Configure it or kill it (if possible) IPv6 is on your network – IPv4 security controls are not enough – Topera (port scanner over IPv6) – Slowloris over IPv6 – Kaspersky POD – Michael Lynn & CISCO GATE – SUDO bug (IPv6) – …

60 Big Thanks to THC (The Hacker’s Choice) – Included in Back Track/Kali – Parasite6 – Redir6 – Flood_router6 – ….. Scappy

61 Street Fighter “spanish” Vega

62 Enjoy Evil FOCA http://www.informatica64.com/evilfoca/ Next week, Defcon Version at: http://blog.elevenpaths.com chema@11paths.com @chemaalonso

Download ppt "Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema"

Similar presentations

Security Assessment of Neighbor Discovery for IPv6

Security Assessment of Neighbor Discovery for IPv6
1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.

1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.
10: ICMPv6 Neighbor Discovery

10: ICMPv6 Neighbor Discovery
DHCPv6.

DHCPv6.
Prof. Kristofer S.J. Pister’s team Berkeley Sensor and Actuator Center University of California, Berkeley.

Prof. Kristofer S.J. Pister’s team Berkeley Sensor and Actuator Center University of California, Berkeley.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.

1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference.
5: Link-Local Addresses Rick Graziani Cabrillo College

5: Link-Local Addresses Rick Graziani Cabrillo College
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.

Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
Instructor & Todd Lammle

Instructor & Todd Lammle
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCPv6 and IPv6 Automatic Address Allocation.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada DHCPv6 and IPv6 Automatic Address Allocation.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Similar presentations

Ads by Google