Tip:
Highlight text to annotate it
X
>> All right. All right, hey, everybody. >> Welcome.
>> Welcome. You have made it. We made it. Today we are going to talk about
man in the middle attacks on doing it on an IPv4 network using five. I'm Scott Behrens.
I work at Neohapsis and I'm an adjunct professor at DePaul University.
>> BRENT BANDELGAR: And I'm Brent Bandelgar, I also work with Neohapsis. We have to give
the hats off to the principal at Neohapsis. >> SCOTT BEHRENS: Well, we are going to touch
on something that came out a few years ago, which is known as a SLAAC attack. We have
systems like Windows vista and Windows 7. Alec Walters developed a guide to exploit
this fact. It's called a SLAAC attack. One of the observations we made when we were playing
around in the lab, it was difficult to follow the steps he outlined. We ran into a lot of
issues. What we did is how we updated the attack to
make it easier to use and a one click install sort of approach.
>> BRENT BANDELGAR: Right and here we have our Blain vanilla legacy network. It does
only IPv4, it has DVP, and there's no IPv6. We have Windows Host and Windows 7. What Alec
Waters put together the evil router in the red. There's two nodes, the evil router and
the evil DNS are intercepting traffic. They are doing ‑‑ they are running an IP version
6 network which is in the blue and then passing it through their packages and their DNS. Again,
this is their own host and then it's resending that out over the IP version 4 network.
>> SCOTT BEHRENS: This takes advantage of is those advertised as IPv6. Yes, I want to route over IPv6 and we take advantage
of the fact and run them through our interface, for example.
>> BRENT BANDELGAR: And then back out to IPv4. Completely transparent to the user.
Here's the guide presented by Alec Waters. It's not affected because it doesn't have
an IPv6. We just got a copy on Windows 8. We couldn't get it to work properly.
>> SCOTT BEHRENS: It might be difficult to see in the next screen shot.
>> BRENT BANDELGAR: We have some IPv6, routers but the Windows 8 no longer sends the DNS
service setting through SLAAC alone. >> SCOTT BEHRENS: It tries to make a request
and doesn't get a DNS and then falls back to IPv4, which is known as happy eyeballs
and we will touch on that presentation later on.
>> BRENT BANDELGAR: There are some other issues. First off, there's a lot of configuration
files that you have to go through and edit. So these steps were very detailed but there's
still a lot of things to go through. A lot of IP addresses and ranges to keep track of,
lots of flags to go through. >> SCOTT BEHRENS: And it used a lot of old
and deprecated packages. They said it was held together with string and sticky tape
and that's pretty parallel to what we experienced when we were playing with this in the lab.
And, you know, because of that, we went back to the blog post and we are like, are we the
only ones having problems getting this working? And we were reading through the forums Duncan
couldn't get it to work and Vox couldn't get it to compile. It was something that we thought
could be an awesome weapon for penetration tests or things like that.
>> BRENT BANDELGAR: All right. To make that feasible ‑‑
>> SCOTT BEHRENS: Yeah so what we decided we needed was...
>> BRENT BANDELGAR: It's up. >> SCOTT BEHRENS: Check that out. I got that
from freebanners.net. Automation domination, right?
>> BRENT BANDELGAR: Yeah. Oops. >> SCOTT BEHRENS: And really what this does
is it's one Bash script to rule them all. Coming up with the defaults for the configurations,
moving all the old deprecated packages, we came up with the one click install that takes
care of all the dependencies and configures your host and we made some adjustments so
it does work on Windows 8. And it's been currently tested on LTS and we have tested on a variety
of the Kali flavors and you should be able to run the script and run all the man in the
middle things. Before you get started, you will need to know
the interface of your attacker host that you want to run it on. And you will also need
an extra IPv4 on the network you are attacking to do translation.
>> SCOTT BEHRENS: You want to test in your own isolated lab first. It's a relatively
aggressive attack. You are basically going to route everything through your host. If
you imagine doing this on a relatively flat network where you have 100, or 200 or n number
of hosts, you will routing a lot of traffic through your host. You have to be careful.
We suggest you test it on a couple of hosts first. And another thing I wanted to mention,
that might not have been totally clear in the slides is that this attack only works
on a local network. You know, you need to be on the same subnet as the victims that
you are targeting. >> BRENT BANDELGAR: All right. Let's go ahead
and see how the installation looks. The reason we are showing you this is just because of
how little time you actually ‑‑ how little time you actually need to get it running.
Literally we invoked the command. And within a couple of minutes or less than a minute,
it's going to pull down a number of packages, such as taking it to do the standard by nine,
the server, the standard DOHV server and that's pretty much everything you need to start setting
up your IPv6 overlay network. >> SCOTT BEHRENS: When we originally set this
up, and before, you know, RTFM done bind here, I ended up writing a DNS revolver to do a
super hack job and at the end of the day it was one line of work and in a bind, so just
a lesson to everybody. Please read your manuals. (Laughter).
>> BRENT BANDELGAR: Yeah. So it's ready. >> SCOTT BEHRENS: Right. And so although it
went relatively quick. One of the other things that the script really does it prompts you
for two points of input and it has to be the interface that you are going to run the attack
on. So here although it scrolled pretty fast, the attacker specified 0 and you need to identify
a free IP address on the network that you are targeting.
>> BRENT BANDELGAR: Right and at the end it starts up all the relevant services and the
kernel modules that you need. >> SCOTT BEHRENS: It's not persistent. So,
you know, once you have actually set this up, you will need to the run the script again
if you reboost your host or switch networks or something like that.
>> BRENT BANDELGAR: It's two line fixes to make it persistent. If anybody is interested,
we can talk later. >> SCOTT BEHRENS: Yep.
>> BRENT BANDELGAR: So now we see what this looks like on the client side. On our own
Windows 8 host. First off, we see that the ‑‑ it's received our IP version 6 addresses and
the IPv6 didn't. That's paused. Unpause. We will fire up our Wireshark and load up Google
in another window. We see it will be going over IPv6 on our configured prefix.
>> SCOTT BEHRENS: Right. >> BRENT BANDELGAR: And then we pull up the
flow to verify that that is our HTTP request. >> SCOTT BEHRENS: Right. Cool.
>> BRENT BANDELGAR: All right. >> SCOTT BEHRENS: So, yeah, we can see that
the traffic, you know, transparent to the victim, all the traffic is running over IPv6.
>> BRENT BANDELGAR: And this is what it looks like on the attacker side.
>> SCOTT BEHRENS: We have the attacker. He's run the one click install and on Kali waiting
for that request to happen. We see the request come in and at this point, now we are kind
of seeing a combination of the IPv6 traffic and we're also seeing us do the translation
back to IPv4 so we can actually get out of the network, right? We are taking advantage
of the fact that we don't have a full IPv6 tunnel out to the Internet here.
>> BRENT BANDELGAR: That was the IPv6 request coming in from the client.
>> SCOTT BEHRENS: And now we can see that the victim's traffic, we have the header's
there and some of the cookies and the data as well.
>> BRENT BANDELGAR: And that's being retransmitted out over IPv4.
>> SCOTT BEHRENS: So basically in the ban of very quick, you are man in the middling
your victim's traffic over clear text. (Applause)
>> BRENT BANDELGAR: Thank you. Yeah. >> SCOTT BEHRENS: So, yeah, we really think
the main focus is to improve the efficiency and, you know, it went from spending quite
a of time in the lab to work and now it's two variables and about a minute of configuration
time. (Applause)
>> BRENT BANDELGAR: All right. Unfortunately not all is rosy in IPv6 land. We do have a
couple of issues with the attack as it is. >> SCOTT BEHRENS: Yeah, and the hugest one
is disabling IPv6 by policy. So if, you know, you are in an organization that has it turned
off this attack just simply is not going to work and in general, you know, one of the
things that's kind of nice about this attack. Any time you set up a new Windows host that
it has this turned on. So unless it's explicitly turned off, you will have a good chance that
have hosts that have IPv6 enables. One of the other things that we have to be
on the lookout for are IPv6 network defenses. And these are specifies in RFC6105. There's
also a guide that Cisco put out that talks about how to find of protect against first
hop sort of attacks and they have a technology called RA guide, router advertisement guard.
That basically stops when, we send out that router advertisement packet, that guard basically
blocks that packet from hitting the other ports on the switch.
>> BRENT BANDELGAR: And some of the other issues we have run into in the lab is different
operating systems will implement RFC6555 differently, which specified that there's here six if it
rolls back to IPv4, if the IPv6 is not coming back fast enough.
>> SCOTT BEHRENS: It's interesting. The happy eyeball effect on ubuntu is different on Linux
and there's room to figure out what those conditions are that actually trigger that
fallback and unfortunately when the fallback happens it seems to then just prefer IPv4.
If you are on a relatively latent network or your routing is latent for whatever reason
and the hosts drop back to IPv4, there's a good chance that they will not actually route
through your host again. So once again, we kind of suggest if you are going to run this
attack on a production network or something, that you have some pretty ‑‑ you know,
have a good network connectivity. Don't be doing this over a latent wireless network
or something like that. >> BRENT BANDELGAR: Yep. Another issue that
we are getting into is different operating systems will prefer ‑‑ will query their
DNS servers in different orders. Sometimes they queries the IPv4 servers first, so we
miss out on translating the IPv6 through our server.
>> SCOTT BEHRENS: Yeah, there's room for improvement. We think one of the biggest things is to actually
specify the target scope. Right now, it snags the whole subnet, and that's a little noisy.
If you are on a pen test and you are just targeting a specific server, you really don't
want to route everything, and so that's definitely something that we are going to try to work
out here. We will also automate some basic network recognizance.
That's just one left step that someone could either mess up or make it easier for everybody.
>> BRENT BANDELGAR: We like to figure out if there's IPv6 countermeasures implemented
on a network. For example, if being able to send out a router advertisement and then just
waiting to specify a time and nothing comes back, we can probably assume that there's
nothing ‑‑ that our stuff is being blocked. >> SCOTT BEHRENS: Yeah, that they have a protection
enabled, correct. >> BRENT BANDELGAR: We would like to be able
to automatically configure IP version 6 to look at v6 connectivity and the reason for
that is sometimes clients will receive a quad A ‑‑ a legitimate quad A IPv6 address
and they will not be able to connect back to that site. And so they will ‑‑ the
happy eyeballs will kick in and they fall back. So we would like for that to be as easy
as possible as well. >> SCOTT BEHRENS: Right, exactly.
>> BRENT BANDELGAR: Another thing we would like to automate, is leveraging, the IPv6
hacker tools. There are a number of tools in there. There's a tool that will listen
for the router advertisement responses and they will just ‑‑ this basically will
display the list of IPv6 addresses getting handed out and MAC addresses and you can see
which clients are being added on to the overlay network.
>> SCOTT BEHRENS: It gives you a little bit more metrics and give you a better clue on
actually what's going on with the attack. And we would also like to see this expanded
to more platforms. We looked at the mobile stuff but IPv6 didn't seem to be there, right,
on Android. >> BRENT BANDELGAR: No, Android is there.
And IOS, they are in linear order and so their DNS servers will always go first.
>> SCOTT BEHRENS: And so we ran into some issues with that. I think there's more search
that could be done to figure out how do we get this across a broader array of operating
systems. >> BRENT BANDELGAR: And, of course, we would
like to get this ported to other attackers as well to unite people's needs and preferences.
>> SCOTT BEHRENS: Right. >> BRENT BANDELGAR: All right. So here's how
you can help. >> SCOTT BEHRENS: Go ahead and pull it off
of here. There's one other ‑‑ we love people to help. So if you have ideas or have
been working with similar stuff, feel free to forward the project and submit a pull request.
We will be happy to add whatever you guys come up with.
And one other note, be careful on running this on production networks. It's a pretty
kind of aggressive attack. Test it out in your lab first before you totally blow it
out of the water on somebody's network, right? >> BRENT BANDELGAR: All right. With that ‑‑
>> SCOTT BEHRENS: Well, thank you, guys. (Applause)