Chema Alonso - Presentación de la FOCA v2.0 [RootedCON 2010]
Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA...
Transcript of Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA...
![Page 1: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/1.jpg)
Fear the Evil FOCA Attacking Internet Connections
with IPv6 Chema Alonso
@chemaAlonso [email protected]
![Page 2: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/2.jpg)
Spain is different
![Page 3: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/3.jpg)
Spain is different
![Page 4: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/4.jpg)
Spain is different
![Page 5: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/5.jpg)
Spain is different
![Page 6: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/6.jpg)
![Page 7: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/7.jpg)
ipconfig
![Page 8: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/8.jpg)
IPv6 is on your box!
![Page 9: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/9.jpg)
And it works!: route print
![Page 10: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/10.jpg)
And it works!: ping
![Page 11: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/11.jpg)
And it works!: ping
![Page 12: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/12.jpg)
LLMNR
![Page 13: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/13.jpg)
ICMPv6 (NDP) • No ARP
– No ARP Spoofing – Tools anti-ARP Spoofing are useless
• Neighbor Discovery Protocol uses ICPMv6 – NS: Neighbor Solicitation – NA: Neighbor Advertisement
![Page 14: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/14.jpg)
And it works!: Neightbors
![Page 15: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/15.jpg)
NS/NA
![Page 16: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/16.jpg)
Level 1: Mitm with NA Spoofing
![Page 17: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/17.jpg)
NA Spoofing
![Page 18: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/18.jpg)
NA Spoofing
![Page 19: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/19.jpg)
Demo 1: Mitm using NA Spoofing and capturng SMB files
![Page 20: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/20.jpg)
Spaniards!
![Page 21: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/21.jpg)
![Page 22: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/22.jpg)
Step 1: Evil FOCA
![Page 23: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/23.jpg)
Step 2: Connect to SMB Server
![Page 24: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/24.jpg)
Step 3: Wireshark
![Page 25: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/25.jpg)
Step 4: Follow TCP Stream
![Page 26: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/26.jpg)
LEVEL 2: SLAAC Attack
![Page 27: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/27.jpg)
ICMPv6: SLAAC • Stateless Address Auto Configuration • Devices ask for routers • Routers public their IPv6 Address • Devices auto-configure IPv6 and Gateway
– RS: Router Solicitation – RA: Router Advertisement
![Page 28: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/28.jpg)
Rogue DHCPv6
![Page 29: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/29.jpg)
DNS Autodiscovery
![Page 30: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/30.jpg)
And it works!: Web Browser
![Page 31: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/31.jpg)
Not in all Web Browsers…
![Page 32: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/32.jpg)
Windows Behavior • IPv4 & IPv6 (both fully configured)
– DNSv4 queries A & AAAA • IPv6 Only (IPv4 not fully configured)
– DNSv6 queries A • IPv6 & IPv4 Local Link
– DNSv6 queries AAAA
![Page 33: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/33.jpg)
From A to AAAA
![Page 34: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/34.jpg)
DNS64 & NAT64
![Page 35: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/35.jpg)
Demo 2: 8ttp colon SLAAC SLAAC
![Page 36: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/36.jpg)
Step 1: No AAAA record
![Page 37: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/37.jpg)
Step 2: IPv4 not fully conf. DHCP attack
![Page 38: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/38.jpg)
Step 3: Evil FOCA SLAAC Attack
![Page 39: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/39.jpg)
Step 4: Victim has Internet over IPv6
![Page 40: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/40.jpg)
Level 3: WPAD attack in IPv6
![Page 41: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/41.jpg)
WebProxy AutoDiscovery • Automatic configuation of Web Proxy
Servers • Web Browsers search for WPAD DNS
record • Connect to Server and download
WPAD.pac • Configure HTTP connections through
Proxy
![Page 42: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/42.jpg)
WPAD Attack • Evil FOCA configures DNS Answers for
WPAD • Configures a Rogue Proxy Server listening
in IPv6 network • Re-route all HTTP (IPv6) connections to
Internet (IPv4)
![Page 43: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/43.jpg)
Demo 3: WPAD IPv6 Attack
![Page 44: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/44.jpg)
Step 1: Victim searhs for WPAD A record using LLMNR
![Page 45: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/45.jpg)
Step 2: Evil FOCA answers with AAAA
![Page 46: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/46.jpg)
Step 3: Vitim asks (then) for WPAD AAAA Record using LLMNR
![Page 47: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/47.jpg)
Step 4: Evil FOCA confirms WPAD IPv6 address…
![Page 48: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/48.jpg)
Step 5: Victims asks for WPAD.PAC file in EVIL FOCA IPv6
Web Server
![Page 49: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/49.jpg)
Step 6: Evil FOCA Sends WPAD.PAC
![Page 50: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/50.jpg)
Step 7: Evil FOCA starts up a Proxy
![Page 51: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/51.jpg)
Bonus Level
![Page 52: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/52.jpg)
HTTP-s Connections • SSL Strip
– Remove “S” from HTTP-s links • SSL Sniff
– Use a Fake CA to create dynamicly Fake CA • Bridging HTTP-s
– Between Server and Evil FOCA -> HTTP-s – Between Evil FOCA and victim -> HTTP
• Evil FOCA does SSL Strip and Briding HTTP-s (so far)
![Page 53: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/53.jpg)
Google Results Page • Evil FOCA will:
– Take off Google Redirect – SSL Strip any result
![Page 54: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/54.jpg)
Step 8: Victim searchs Facebook in Google
![Page 55: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/55.jpg)
Step 9: Connects to Facebook
![Page 56: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/56.jpg)
Step 10: Grab password with WireShark
![Page 57: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/57.jpg)
Other Evil FOCA Attacks • MiTM IPv6
– NA Spoofing – SLAAC attack – WPAD (IPv6) – Rogue DHCP
• DOS – IPv6 to fake MAC using
NA Spoofing (in progress)
– SLAAC DOS using RA Storm
• MiTM IPv4 – ARP Spoofing – Rogue DHCP (in
progress) – DHCP ACK injection – WPAD (IPv4)
• DOS IPv4 – Fake MAC to IPv4
• DNS Hijacking
![Page 58: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/58.jpg)
SLAAC D.O.S.
![Page 59: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/59.jpg)
Conclusions • IPv6 is on your box
– Configure it or kill it (if possible) • IPv6 is on your network
– IPv4 security controls are not enough – Topera (port scanner over IPv6) – Slowloris over IPv6 – Kaspersky POD – Michael Lynn & CISCO GATE – SUDO bug (IPv6) – …
![Page 60: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/60.jpg)
Big Thanks to • THC (The Hacker’s Choice)
– Included in Back Track/Kali – Parasite6 – Redir6 – Flood_router6 – …..
• Scappy
![Page 61: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/61.jpg)
Street Fighter “spanish” Vega
![Page 62: Fear the Evil FOCA Attacking Internet Connections with IPv6 · 2013-08-27 · Fear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com](https://reader034.fdocuments.net/reader034/viewer/2022042918/5f5ce409da663f2fb8732ef8/html5/thumbnails/62.jpg)
Enjoy Evil FOCA • http://www.informatica64.com/evilfoca/ • Next week, Defcon Version at: • http://blog.elevenpaths.com
• [email protected] • @chemaalonso