620 likes | 857 Views
Fear the Evil FOCA Attacking Internet Connections with IPv6. Chema Alonso @ chemaAlonso chema@11paths.com. Spain is different. Spain is different. Spain is different. Spain is different. ipconfig. IPv6 is on your box!. And it works !: route print. And it works !: ping.
E N D
FeartheEvil FOCAAttacking Internet ConnectionswithIPv6 Chema Alonso @chemaAlonso chema@11paths.com
ICMPv6 (NDP) • No ARP • No ARP Spoofing • Tools anti-ARP Spoofing are useless • NeighborDiscoveryProtocoluses ICPMv6 • NS: NeighborSolicitation • NA: NeighborAdvertisement
ICMPv6: SLAAC • StatelessAddress Auto Configuration • Devicesaskforrouters • Routerspublictheir IPv6 Address • Devices auto-configure IPv6 and Gateway • RS: RouterSolicitation • RA: RouterAdvertisement
Windows Behavior • IPv4 & IPv6 (bothfullyconfigured) • DNSv4 queries A & AAAA • IPv6 Only (IPv4 notfullyconfigured) • DNSv6 queries A • IPv6 & IPv4 Local Link • DNSv6 queries AAAA
WebProxyAutoDiscovery • Automaticconfiguation of Web Proxy Servers • Web Browsers searchfor WPAD DNS record • Connectto Server and downloadWPAD.pac • Configure HTTP connectionsthrough Proxy
WPAD Attack • Evil FOCA configures DNS Answersfor WPAD • Configures a Rogue Proxy Server listening in IPv6 network • Re-routeall HTTP (IPv6) connectionsto Internet (IPv4)
Step 5: Victimsasksfor WPAD.PAC file in EVIL FOCA IPv6 Web Server