Security Basics mailing list archives
Testing IPv6 Rogue Router Advertisements
From: André Gasser <andre.gasser () gmx ch>
Date: Thu, 16 Aug 2012 00:07:59 +0200
Hello all, I' am currently doing some tests using fake_router6 from the THC IPv6 Attack Suite [1]. But I face some problems establishing a full MITM situation. Has anybody done such tests him/herself? IF yes, I would be glad to get some inputs. Please find below some information on my testing scenario. Test environment: ----------------- I use a Cisco 3750G device using the latest Cisco ISO 12.2(55)SE6. Directly attached to this router are two links: The Router: - Has two links directly attached. - Link1: Prefix fc00:0:0:1::/64 - Link2: Prefix fc00:0:0:2::/64 - Has a static IPv6 address for each link: - Link1: fc00:0:0:1::1 - Link2: fc00:0:0:2::1 - Announces prefix fc00:0:0:2::/64 to Link1 to enable SLAAC on that link. - Link1 runs the following machines: - Windows Server 2008 using static IP - Link2 runs the following machines: - Windows 7 Professional (the victim, using SLAAC) - BackTrack 5 R3 (the attacker, using SLAAC) What I want to test / verify: ----------------------------- Using BackTrack 5 I want to establish a MITM situation in which the BackTrack host establishes itself as an additional hop between the Windows 7 client and the Windows Server 2008 machine. Where is the problem? --------------------- I am able to get the traffic routet through BackTrack. BackTrack forwards the packet to the legitimate router and it successfully reaches its target, the Windows Server 2008. But then, the response packet does not pass the BackTrack machine, furthermore it is directly forwarded to the Windows 7 host by the legitimate router. This means I am only able to MITM on outgoing traffic, coming from Windows 7. I'm by no means a routing expert, but as far as I understand, the legitimate router processes the response packes correct by forwarding it directly to the Windows 7 host, as it recognizes that the Windows 7 host is directly attached (by checking the prefix). I call fake_router6 on BackTrack this way I run the foll./fake_router6 eth0 2001:db8:bad:bad::/64 Unfortunately I failed at finding some detailed examples on conducting this attack. What I found is this (see [2]), but the author does not describe the setup in detail and the picture does not reveal all the interesting details. My questions so far: -------------------- - Can a full MITM scenario be achieved or is it really reduced to outgoing traffic (Windows 7 host to Windows Server 2008)? - Can the same prefix as the legitimate router announces, be announced using fake_router6? Since they differ in priority (medium, high), I think this should not be of an issue. I really appreciate some thoughts on this from you. Hopefully, my explanations were detailled enough to understand the issue. Thank you so much. Best regards, André [1] http://thc.org/thc-ipv6/ [2] http://keepingitclassless.net/2011/09/ipv6-hacking-thc-ipv6-part-2/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Testing IPv6 Rogue Router Advertisements André Gasser (Aug 16)
- RE: Testing IPv6 Rogue Router Advertisements High, Richard (Aug 16)
- <Possible follow-ups>
- Re: RE: Testing IPv6 Rogue Router Advertisements cipherwar (Aug 16)