Attacking IPv6 - MitM IPv6 patch for Bettercap

Thank you for coming here today. We know it's been a long day of very cool presentations, so we'll try to not tire you too much. I'm Dimitris Karapostas, this is Gregory. We are members of the Cryptographic and Security Lab of the University of Athens. As part of our work there, we implemented an attack on IPv6. In particular, while working there, we were trying to do some basic sniffing and injection for IPv6 sites. So we were working on some other stuff and we just went on the loop and tried to find a tool that could easily be used in order to inject some stuff on plaintext HTTP IPv6 websites. And there are some JavaScript codes So, we tried to find something, we couldn't find any tool

that did this easily and there wasn't any production-grade framework that we could use in order to do sleeping and injection in IVCs. So we decided to do it ourselves. In order to do this, we patched Betatrack, which is a framework for IVs such as Mindvaming. So we pass BetterCup and the underlying library in order to be able to do both I/Ov4 and I/Ov6 monitoring and testing. At this point BetterCup is the only production-based framework that can easily do these kinds of tasks. In this talk, we will at first describe how I/Ov6 works, what are the allergies in I/Ov6, what is the name of the discovery protocol and how we use it in order to perform the attacks that we want,

and the man we need in particular. Then we'll describe how this spoofing works, how we can make the victim send us our traffic. And in the end we'll show you how we pass a better trap, what we need to do next. And we'll show you a demo of it. But first of all, let me say Why we decided to do this thing in IBC and why we care about it? Even here we discovered that we have an IBC network. So why would we want to do this? Let me show you some statistics. So here you can see this is the Google statistics about IBC's usage over the years. So it is clear that the trend is that

IBC is being more in networks. In particular, the most interesting part is the per country adoption. So we can see here that although developing countries like Africa don't actually use almost at all IPv6, the US or in Europe, Germany or Belgium or Greece for that part actually has incorporated IPv6 in about 20 or 30% So, it is obvious that although at this point IPv6 is not the norm, in a few years it probably will be. This is also because IPv4 addresses are being very rare. And also the other barrier is the security in the web. So, we can see here that the users of HTTPS in the web. So, we can see now that at this point the web traffic is

a little more than half of the way traffic is encrypted, right? So these two developments, IPv6 and HTTPS, did not go hand in hand, unfortunately. So we were not sure at this point that when IPv6 comes, traffic will also be encrypted. And if that So, if traffic is not treated in iMovie 6, we need to have some tools in order to demonstrate how easy are the attacks on plainly-definite websites and incentivize people in order to watch HTTPS. So, our incentive was exactly that: to create a tool that could easily implement these attacks in iMovie 6, and which didn't exist up to now. So, where do you want to go? Under the "Attacks" and "Defeats"?

I already know that IPv4 attacks are owned by R2D2. In IPv6, we discovered that. I'm going to show you that the discovery is also from the attacks. So, let's cover some basic stuff about IPv6. How many of you know that? Most of you know that IPv6 address exists also. They are separated by columns and consecutive groups of zeros may be replaced by two consecutive columns. Here is a perfect example of a column. And they are divided in three main categories. The first one is the global cubicized address, which is similar to IPv4 public address. It is used for quantification. They are acquired by DITS-V-V6, Slack and Static Configuration, one of the general staff. Also, the second hardware is unique local

address. It's not that important. Originally, the site was the term in RFC, but it was kind of insufficient, so they had to make it dedicated. But now it is actually used in private. So, the third one, it's the last one, and the most important, it's the link local address. The link local address is the It's not unique outside of the development network, as you can expect. It is constructed using the Mac address plus. This is an example of this. And as you can see, the prefix is "f-e-a". That's the standard prefix. So we continue with the NeighborDiscovery.com. The NeighborDiscovery.com operates and is responsible for address configuration, for discovery, to get address detection and addressing. The Neighbor Discovery Protocol

is basically R296 and it's responsible for everything that a farm is used to do in a single day. With this protocol, the protocol introduces 5 new types of icing which are the messages used in order to address everything in the lab. These types include: Routeship Station, Network Advertisement, Neighbor Ship Station, Network Advertisement and Medallion. As you can see, the first 4 types are pairs. which means that for every solicitation, solicitation requires something from another advertisement is the response of that known. The first two types of packets were used by the host in order to retrieve some data link information about the routers and the routers on their side they respond with an advert. The next two packets are

the most important for uh when a node needs to ask for the mac address of uh he sends that uh message and the node has to respond with uh with the spare of ivc's address and uh the diary packet is used uh when you want to host for the first so as you already see when we need to find and we already know what type of address we use a Neighbor Service Message and host then response with a Neighbor Address that's how we retrieve the pair of 546MAC and the address and MAC address of the network and this is a Neighbor Address Package we can define the type, the target address so let's go into the actual part of MondayMutualAttack

We are going to explore some key aspects on the neighbor cache of the neighbor cache used by, that uses IPv6 in order to store IPv6 addresses and micdata. So every entry in that cache has some states as you can see here. There is an entry for FBAD. I have six address with MAC and it is reachable. It means that if the host needs to forward traffic, he is going to send packets to this address and that packet. CastStates. We need to use CastStates in order to exploit the fact that we won't perform a spoofing. Yeah, okay, so at this point we have seen how the cache works, we have seen how the logic works, and what we want to do after the

actual spoofing. So, when trying to do the spoofing, there are two assumptions, well, there are two problems actually with the ndb that we exploit in order to do the attack. The first assumption is that the router can't identify itself the node in the network cannot know if a packet of magic comes that says "I'll come for the router" the node cannot know if this packet actually came from an actual router so the router can't identify itself to a node in the network The second problem is that in the pairs we saw before, the Negros advertisement and the Negros solicitation, you would expect that if a node receives a Negros solicitation, then an advertisement would have happened sometime before, so this would be the answer to the

advertisement. But the node doesn't actually check if an advertisement occurred before. So we, as the attacker, do the average thing. we send a lemur advertisement to the node. So in this advertisement we say that we are the winner and we tell the node to overwrite its cache and change the default gateway to our non-convers. It is the general technique that is used in R2 as well with some very minor changes. So at this point we pretend that we are the winner the node actually does change its cast because of the two problems that I described before and at this point it will send all its tracks to us and in the technical level of IBISK i.e. IBISX all this is implemented by enabling the RSV bits

the three bits that we showed oh yeah these three bits so by enabling these three bits in the packet we say that The R bit means that we are the router, although of course we are it, but the node can't know this. The S means that it is a response to an advertisement, which it isn't, but again, the router doesn't, the node doesn't check this. And the third bit is to override its CAS entry, which it does, and that way it changes its CAS entry and the gateway for this node at this point is our computer. Alright, so after this, we have managed to make ourselves a reachable gateway for the node and... ok, so yeah,

this is the data that I described so at this point we are a reachable gateway like we showed before the node, the victim in the network will think we are the gateway and will send all its traffic to us

the management, we... well our job is actually kind of easy. So at this point all the traffic comes to our network interface. So we just group the traffic and then we can do all we want. We can sniff it, we can do some projections, we also change the firewall instructions and the IPv6 tables, the IP tables protocol for IPv6 in order to ignore some redirecting messages. These are some messages that would change our demo. And in order to send all the victims traffic to our SDV proxy, so that way you can view it and change it. This is actually what we changed to the BetterCup framework in order to make this attack able for IPv6.

So we have a wireshark capture here. So this is actually the actual stooping, right? The first package. We can see that a node has come to the network. So we can see here that the node comes, it makes some advertisement, right? So it makes a router solicitation, it doesn't have any entry for the router, so it tries to find the router. This is the legitimate. basically there is communication with the network, right? So it makes the solicitation, it gets the advertisement, it has the referral, it does some other communication in order to establish the connection with the network, right? And up to this point here. So at this point, the node is actually in the network, it is legitimately

in order to browse the internet, the IOS, etc. At this point, we begin our attack. So, we send these neighbor advertisement packets every second, if you can see here. So, this is the actual scooping. The victim, at this point, will see all these packets and because we are farming it with these packets that have the RSVP enabled, it will eventually change its task and gateway and complete. So, after that, it is

After that, we can do anything we want. So we can... Alright, so now we are a manual and we change our actual users, our old users, where to patch to open source frameworks. The first one was PacketFoo, which is a Ruby library for packet manipulation and specifically what we did was add the neighborhood discovery by calculation in order to construct these messages that we needed to spot the victims and the second part was to better talk in order to use the new one and to to gather all the traffic and to to be able to decode the IPv6 packet and do all the stuff that it does for IPv4 like injection, sniffing and all that stuff. And

so at this point, BetterCup you can actually install it and it is the only production grade framework that actually does injection and sniffing attacks for both IPv4 and IPv6. And, okay we have it done. - So we're going to show you unfortunately So as you can see here, these are two separate computers. This is the IPv6 address of the target host, which is right. We use some other parameters. And the important thing here is that we pass

and we pass the k.js which is a JavaScript code for an unread script. So, the attack progresses, we get the MAC address of the victim and then we start to initialize the attack. We get the code and then we deploy a proxy in order to gather the traffic from the victim. we start scooping the people with our MAC address so here you can see here the important part starts and we start to scoop the people with MAC address and IPv6 address so the white one thinks that we are the router so as you can see here he opens an IPv6 page that is not encrypted so Our JavaScript code is injected and as you can see here it

opens the page and I have that token. That's it. And as you can see the code was injected successfully. And here is the worst pick-up we captured during the attack. And this is the traffic of the victim. As you can see there are 5 or 6 addresses and this is the disk history.

So, as you can see here, this is the latest event page and as you can see here, this is our object "go", the message. Okay, so this... Okay, so yeah, so...