Testing IPv6 Rogue Router Advertisements

[André Gasser <andre.gasser () gmx ch>]

Hello all,

I' am currently doing some tests using fake_router6 from the THC IPv6
Attack Suite [1]. But I face some problems establishing a full MITM
situation. Has anybody done such tests him/herself? IF yes, I would be
glad to get some inputs. Please find below some information on my
testing scenario.

Test environment:
-----------------
I use a Cisco 3750G device using the latest Cisco ISO 12.2(55)SE6.
Directly attached to this router are two links:

The Router:
  - Has two links directly attached.
      - Link1: Prefix fc00:0:0:1::/64
      - Link2: Prefix fc00:0:0:2::/64
  - Has a static IPv6 address for each link:
      - Link1: fc00:0:0:1::1
      - Link2: fc00:0:0:2::1
  - Announces prefix fc00:0:0:2::/64 to Link1 to enable
    SLAAC on that link.

  - Link1 runs the following machines:
      - Windows Server 2008 using static IP
  - Link2 runs the following machines:
      - Windows 7 Professional (the victim, using SLAAC)
      - BackTrack 5 R3 (the attacker, using SLAAC)

What I want to test / verify:
-----------------------------
Using BackTrack 5 I want to establish a MITM situation in which the
BackTrack host establishes itself as an additional hop between the
Windows 7 client and the Windows Server 2008 machine.

Where is the problem?
---------------------
I am able to get the traffic routet through BackTrack. BackTrack
forwards the packet to the legitimate router and it successfully reaches
its target, the Windows Server 2008. But then, the response packet does
not pass the BackTrack machine, furthermore it is directly forwarded to
the Windows 7 host by the legitimate router. This means I am only able
to MITM on outgoing traffic, coming from Windows 7. I'm by no means a
routing expert, but as far as I understand, the legitimate router
processes the response packes correct by forwarding it directly to the
Windows 7 host, as it recognizes that the Windows 7 host is directly
attached (by checking the prefix).

I call fake_router6 on BackTrack this way

I run the foll./fake_router6 eth0 2001:db8:bad:bad::/64


Unfortunately I failed at finding some detailed examples on conducting
this attack. What I found is this (see [2]), but the author does not
describe the setup in detail and the picture does not reveal all the
interesting details.

My questions so far:
--------------------
- Can a full MITM scenario be achieved or is it really reduced to
  outgoing traffic (Windows 7 host to Windows Server 2008)?
- Can the same prefix as the legitimate router announces, be announced
  using fake_router6? Since they differ in priority (medium, high), I
  think this should not be of an issue.


I really appreciate some thoughts on this from you. Hopefully, my
explanations were detailled enough to understand the issue.

Thank you so much.

Best regards,
André



[1] http://thc.org/thc-ipv6/
[2] http://keepingitclassless.net/2011/09/ipv6-hacking-thc-ipv6-part-2/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------