Re: SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability

["Adam Behnke" <adam () infosecinstitute com>]

I suggest you try to understand the actual production implementation of the attack, not just the theory. 

You may want to take a look at the pcap files we posted. 

To review:

1. When a slaac attack is in place, the target systems still do respond to DHCP on IPv4 as normal. Because windows 
system prefer IPv6 routes over IPv4, any Windows system can be easily captured in this mitm attack. 

2. SEMs, and other devices that are only configured to look at IPv4 wont see this parasitic IPv6 overlay. 

3. If you place a rogue IPv4 DHCP server, you will have a bunch of DHCP conflicts as the two DHCP servers battle it out 
over clients, as well as a number of alerts on the client workstations and IP addressing errors. The slaac attack != 
planting another DHCP server on the network. 

4. Many secure DMZ and systems on the SIPRNET have defenses in place for ARP spoofing. Example: one of the major 
responses from the heartland systems credit card breach was to implement ARP spoofing protections in PCI requirements. 
See: http://en.wikipedia.org/wiki/Albert_Gonzalez
  
5. The slaac attack works against systems protected against ARP spoofing.

In summary, this is the next generation of mitm attacks, when arp spoofing is not available or is too detectable. 

We chose a bad title calling it a 0day, agreed. We should have just termed it an “implementation of known theoretical 
attack, etc.”



_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave