SLAAC Testing revisited

A few weeks ago I made a post about the SLAAC Attack and how you could test this. This test was written before the actual testing began and was more of a theoretical research about possible ways to set it up than it was actually effecient to test. In this blogpost I will review the testing part of my last blog since there is a bit more to testing it "for real" then in theory.

Testing Topology

Since the SLAAC attack is a MITM kind of attack, the best way for us to test this is via a router connected to the internet (a pfSense router in our case) connected to a switch and with an attacker and in my case a Windows client and a Linux client to see if we have any differences.

Setup of hosts/attackers

The victim hosts and the router should only distribute IPv4 addresses but you cannot disable IPv6 traffic on either of them. This is because this attack assumes an unknowing (or poorly trained) IT admin who set up good IPv4 protecting but didn't disable nor add IPv6 security to his network. If we would disable IPv6 traffic, the purpose of this test would be defeated since it would no longer work.

Now the attacker is another story, first of all do not forget to enable ipv6 forwarding on the attacker. Since you are spoofing yourself as a router, failing to enable this will cause the attacker to be flooded with traffic but having no way to forward it, this will result in a DoS of your own system. Second for ease of the preparation even if only for the installation, connect to the internet. The tool we will be using downloads/installs and configures multiple packages at once to make the testing easier. If ,like me, you do not have an internet connection (e.g. working through a VM on a company network) you will have to download all those packages manually (and their dependencies) and install them. Since the script still configures them for you that is handled, but many things can go wrong with manually installing all the packages and is not recommended (when I did receive an account capable of receiving internet through my VM I just restarted from my last snapshot and let the script install them, no problems then!).

The script is called SuddenSix by Neophasis labs. It is free for download at their github (google it). It is easy to use (no ./configure, make, make install needed) by just going to the directory where the script is stored and typing:

./suddensix.sh

That is all! Now it will begin installing (if it is your first time using it) all the needed packages, these are: WIDE DHCP server, bind9, radvd, sipcalc, tayga and their dependencies. After that you only need to give the interface from which you send the attack and a free ipv4 address in the victim network. Here a screenshot of the commands you should see

After this, the script will set everything up, configure it right and give the hosts connected to the network an IPv6 address. This is a debian client and a vista client before the attack.

And after the attack is started:

As you can clearly see, both the vista and the debian client received an IPv6 address, whats more you can also see the see that the standard gateway is set to the Link Local Address of our attacker host. Now we know the victims are in "our" IPv6 network. If you are connected to the internet you can see the MITM attack in action.

Here I will show you some examples of capturing a TCP stream over our IPv6 network, visiting IPv4 websites. (and their login info).

First of all, a login to an unsecure page (just Http, no https) via our vista client

Then on the attacker, you can capture the traffic routed throug our interface (note when a website is queried by the victim, it is sent from it's ipv6 addres, in this case 2001:db8:1:0::/64, it is then routed through the IPv4 internet to reach the site

And the sniff of my attempt to login, you can see my username and password with which I tried to login.

You can clearely see my login credentials sniffed from our victim host. Immediatly showing it's danger since this was just a normal IPv4 network that has been breached by IPv6.

Conclusion

A powerfull attack that when launced can get devastating results if not proteced correctly against. Of course the drawback of this attack is that you have to be inside the vicims local network to pull this off. But still, with so many public places giving out free WiFi, if unprotected against IPv6, this attack could listen to the traffic from an entire restaurant, etc.

References:

http://resources.infosecinstitute.com/slaac-attack-/

http://tools.ietf.org/html/rfc4966

http://www.informationweek.com/security/vulnerabilities-and-threats/windows-ipv4-networks-vulnerable-to-ipv6-attack/d/d-id/1097153?

http://labs.neohapsis.com/2013/07/30/picking-up-the-slaac-with-sudden-six/