 Well, hello, everybody. Good morning. Thank you for coming to this session about attacking Internet connection in IPv6 network. I'm Chema also. I'm from Spain. And this is the sixth year that I'm speaking here in DEF CON. And year after year, I've been before delivering the talk, I've been trying to convince you to come into my country. How many of you have been to Spain in the last six years, please? Hands up. Hey, very well. Did you enjoy Spain? Yeah? Well, for the rest of you, I've been trying year after year to convince you, talking about the beaches, the parties, the beaches, the parties, the bullfighters and so on. And this year I'm going to try a different approach. So I'm going to try to convince you to visit my country doing a quick summary about the history of Spain. The history of Spain in only one minute. It's okay for you? Well, 2,000 years ago, Spain was a Romanian country. In fact, we have some of the best Roman emperors born in Spain, like Trajano and Adriano. And if you visit Spain, you can discover in the middle of the cities a lot of Roman monuments like this in Segovia or this theater in Merida. All country is full of these Roman monuments. Centuries after Spain was a medieval country. And if you visit the country, you will find a lot of castles. Actually, there are hundreds and hundreds of castles. And you can visit all of them and even you can buy it if you have enough money because some of them are for selling. It's true. It's not a joke. After that, Spain was an Arabic country, seven centuries in an Arabic country. And if you visit Spain, you will discover that there are a lot of mesquitas around the country with beautiful monuments in all the country. And after that, Spain was an empire. Probably you know it. And like Spain was an empire, all great artists wanted to work for the empire. So in Spain, there are a lot of museums with great artists, paintings like this. So are you going to visit Spain, please? Okay. Well, we are not an empire anymore as you probably know. So let's talk about foca. How many of you know foca? How many of you love foca? Well, today I'm going to talk about another foca. It's not the foca that you probably know. It's a naval foca. And it's a foca based on hacking networks. The idea of this tool is that probably most of the users, anytime in their life, have tried a very dangerous command in their operating system, which is the IP config. Have you ever tried this command? It's very dangerous and very difficult to understand this command because, well, as you can see, it's in Spanish because Spanish is better. And as you can see, there is a special magic in the result that you can see because if you ask to any user that typed this command, what is the IP address? All users are going to say 192.106.8.1 and so on. Nobody can see the IP address on top of the list. Have you seen that IP address? The big one? Yeah? Most of users when realize that there is something on top of the IP address do something like this. Well, the truth is that in all windows operating system, IPv6 is working by default. It's turning on. So if you go to test your network configuration, you can realize that IPv6 is turning on and by default it's configured like this. It's in Spanish, you know, but that means automatically configuration. That means that IPv6 is waiting to be configured to run on the machine. But it is working. And if you test the routing table, you can realize that you have all the routing table for IPv6 installing your computer. And even one of the most dangerous commands, the ping. Ping is working. So I'm going to do a demo, an easy one. I got two machines. One of those is this blue. The blue is the server. And as you can see, we have an IPv6 address and an IPv4. The IPv6 is FA80 whatever. And the IPv4 is 192, 168, 10, 1. And if we go to the client, to the other machine, which is the red one, and try to do a ping to the IPv4, 100, well, 192, 168, 10, 1. It is working. If we try to discover what is the name of this server we got that the name is share. If we try the IPv6 address, of course, it is working as well. And if we do something like ping the name, then magic occurs. Because by the fall, Windows tried to connect using IPv6. But probably all of you are aware of this. Is this true? Yeah. And you are taking care of IPv6 attacks, for sure. Well, this set, this set, the idea of IPv6 is that in Windows Machine both protocols are working at the same time. Depending on the configuration of your network, the machine is going to use IPv4 or IPv6. If you have an IPv4 network fully configured with a domain controller, with the DNS, and all the computers are in the DNS, and all of them are working with the IPv4, then the network is going to work as an IPv4 network by default. But if you are in a local network connected with all the computers from different parts, they are not in the same DNS, they are not in the same domain controller, then IPv6 will appear a lot of time. This is due because in Windows Vista, Microsoft added this protocol, Locally Manager, which is a protocol that tries to discover what is the IP address of a computer in the network. It is working only in the local network, in the local segment. And as you can see, it's trying to discover the IP address of the computer for any protocol. So it's trying to query the DNS as a record, it's trying to query the DNS as an IPv6 record, it's trying to do a broadcasting discovery, sorry, whatever. In the end, when Locally Manager discovered the IP address of the destination server, if it's possible to connect using IPv6, then it's going to connect using IPv6. Once we have the IP address, we need the physical address to discover the physical address. In IPv4, we are using ARP, but ARP is not working in IPv6 anymore. So if you have a security solution to detect money in the middle attacks with ARP, it's very good for IPv4, but not for IPv6. Because in IPv6, we are using a different protocol, which is a network discovery protocol, based in two different messages, which are network solicitation and network advertising. In the end, network solicitation and network advertising are working at the same way in that ARP, but it's not ARP. That's important. We got a table also in which we connect the IPv6 address with the physical address. In IPv4 is the ARP table, in IPv6 is the network table, and it's in your computer. You can query the table using that command. This set, how it works is like this. Someone is trying to discover the physical address of an IPv6 computer, then send a message to FF2, which is a multicast address, querying for the IPv6 address in which it's interested. In this case, this one. The computer with this IPv6 address in this case, this one is going to answer with the physical address. It's very easy to understand. It's the same as ARP. That means perform money-in-the-middle attack in this environment is very easy. We only need to send two packets like ARP. The idea is that we need to send a packet to one of the computers spoofing the IPv6 address of the other victim and then do the same with the other machine. Only two packets and we have the money-in-the-middle like in ARP. So let's do a very easy demo, a quick demo. It's level one. Very easy to do and very easy to understand in this environment. But before doing it, you have to take into account that we are Spaniards, so we are lazy. We need tools for work. So we created the evil foca. In this demo, we have three machines. The blue one is a server. The red one is the victim, is the client. And the black one is the evil foca. So we only need to do something like open Wireshark, open evil foca. Yes. Then evil foca discovered the network. Just drag, drag, click, and that's all. Okay? So if we go to Wireshark, if we go to Wireshark in this machine, we start to capture information, capture interfaces, and we do something very easy. Go to the client and from the client do slash, slash, server, connect to the server, open a document with my password, and then we go to the foca, the evil foca, we only need to do follow TCP stream and that's it. We got all the information and we can use the find to search for the password. And here it is. Okay? Very easy to understand. Well, this is very easy. It's level one. I'm going to stop the server. I don't need the server anymore. And now we are going to get into the level two. The idea of level two is, okay, we got the IPv6 in the network, but I want to be a man in the middle when the victim connects to the internet which is working in IPv4. And that's the challenge. Well, this is the demo that I did it, just in case that it didn't work it. And the second demo is a Slack attack. Yesterday there was a talk talking about this. We released this tool in March. It's public, this tool in March with this attack. And the idea is quite simple. In IPv6, there are a lot of computers, there are big IP address, and it would be impossible for a system to manage all the roads on the network. I have 1,000 computers and 300 rotors. It would be a mess. So the idea from the beginning is that you don't have to worry about the default guideway because we are going to create a protocol to configure the gateway on the computers. That protocol is Slack. That means stateless address auto configuration. And the idea is quite simple. When a computer with IPv6 needs to connect to the internet, acts for a router with a package called router solicitation. And if there is a router in the network, answer with the neighbor advertisement saying, hey, here a router, here a friend. After that, the computer configures automatically an IPv6 network that has connectivity with the router and configures the router as the default gateway. Very easy to do, very easy to understand. That protocol only configures the default gateway, but not the DNS. You need to configure the DNS. Not always. You can use also the ROG DHCP to configure the DNS, but it's not completely necessary because in Windows machines, there is a special protocol, which is the DNS auto discovery. So if your computer doesn't have any DNS configured by default, use these three IP addresses. That means that if someone configures that IP address in your network, it will be the DNS in your network. You need to take care of this IP address. So to do the attack is very easy because all web browsers are ready to work with IPv6. Well, this is Mosilla, which is ready for IPv6. In Google Chrome, it's deactivated. IPv6 is deactivated by default. So if the guy is using Google Chrome, you cannot do this attack. You can do the next one. Don't worry. And there are several situations in which IPv6 attacks are not working very well because Windows have a very special behavior. If you have IPv4 and IPv6 fully configured, I mean with the DNS and the default gateway, then Windows use the DNS configured in the IPv4 protocol. It makes sense because in the end, DNS is supposed to be only one copy in the whole internet. So it doesn't matter I'm connecting to the DNS using IPv4 or IPv6. And in Windows, they choose to use IPv4 protocol to connect to the DNS. If you don't have IPv4 fully configured, for instance, if the DHCP is falling to give you the default gateway or to the DNS, then if we configure IPv6, the computer is going to use the IPv6. But in some cases, by default, it's searching for DNS record of IPv4 address. That means that if we want to create a special money in the middle using IPv6 between the client and the money in the middle, we need to reconstruct the answers to IPv6 records. And of course, if we got IPv6 and IPv4 only in local link, sorry, I'm sick, fucking parties. And if we got IPv6 and IPv4 with local link, then the DNS is going to be using IPv6 and it's going to be querying DNS of IPv6 address. But it's very easy to change the behavior because if the client acts for a DNS query searching for an IPv4, you can respond with an IPv6 and everything goes well, so don't worry at all. So what is Evil Fokka doing in this attack? The idea is quite simple. Evil Fokka is going to be this guy using network relations 6 to 4 and DNA 6 to 4. The idea is that we are going to configure... We are going to configure this connection. We are going to send an Slack attack to configure this as the full gateway. Then it automatically is going to configure the DNS auto discovery to connect to the Internet. And DNS auto discovery is an IPv6, so we are in the middle. We are going to capture all DNS queries. So when he acts for an IPv4 URL, for instance, www.devcon.org, which is only working in IPv4, then that query is going to be sent to the full gateway. We are going to intercept the query. We are going to ask for the real IPv4 on the Internet. Then we are going to convert the IPv4 to an IPv6 address and give the IPv6 address to the client and then the client is going to send the IPv6 query to the full gateway and we are going to translate the IPv6 to IPv4 and send to the server and then get the answer and then it's very easy to understand. But you know, we are Spaniards. So let's do the demo. The idea in the first demo, we only need to send two packets, one for one bit and one for another. In this example, we need to send a packet to configure the Slack attack and then we need to do all the translation. And in Igbol Foga, we need to do this. First of all, I'm going to spend a lot of money using my Spanish mobile phone, but I need Internet connection. So, connect. Okay. Let's see if I have Internet connection. Please, please, please. Okay. I got Internet connection. Then I got the Igbol Foga. I got the Igbol Foga and the BitTeen. And I'm going to do something like Open Igbol Foga. I'm going to the BitTeen. I'm going to reset the network adapter just in case that something was a start from previous demo. That's all. And all that we need to do is something like go to Igbol Foga and then select Slack. Just click here and start. That's all. That's all. If we go to, if we try to do something like, this is in the host machine. This is the host machine. If I try to connect to the DNS and search for an IPv6 address for Defconn.org, as you can see, there is not an IPv6 address for Defconn.org. And if we go to the BitTeen and we open the web browser and we search for www.google.com or Defconn.org, everything is working. Google and Defconn. And if we search for the IP address that we are using to connect is being www.defconn.org, it's an IPv6 because we are changing the IPv4 to IPv6. And as you can see, we are browsing the Internet. Well, this is the demo just in case. Level three. This is level three. We are not published this version of Igbol Foga yet, but next week you will have this version available. And the idea is to use the web browser to discover protocol in IPv6. The idea is quite simple. Automatic, by the fault, all web browsers, Google Chrome, Internet Explorer, Mothilla, Firefox, and so on, by the fault are searching for a web browser. A web browser to configure the Internet connection. To discover what is the web browser, they are searching for a special record in the DNS, which is web browser to discover with WPA. And then connect to that IP address. And that IP address, it's supposed to have a server and the server gives a special file and that special file gives the IP address of the web server. In this case, of the proxy server. In this case, we are going to use an IPv6 proxy with Evel Foga. And the idea is that Evel Foga is going to do everything for you. Evel Foga configures the DNS answer for WPA, configures a raw proxy server listening in the IPv6 network and reroute all traffic between IPv4 and IPv6. So let's do the demo. And then we only need to, I'm going to disable and enable the network interface. I'm going to everything from the beginning. Disable and enable, okay. And then go to Evel Foga, open Evel Foga. And then we select W web browser out of the discovery and click and that's it. And right now we have here that we are working the money in the middle attack for web browser out of the discovery. Then we need to wait until web browser out of the discovery query appeared. Let's open Internet Explorer. Let's close Internet Explorer. And let's open it again. And let's see, okay. Now the proxy is up. And the client has requested the file. So if everything is okay, we can do something like Google.com. Let's see if the Internet is working very well. Google, Google, on Internet, please. Be a good guy. Google, here it is. Okay. Now we are doing the money in the middle again using different protocol. But we wanted more. So this was the demo. The demo was that the client sent, the victim sent for WPADR record. Then we answered saying no, no, it's not an IPv4, it's an IPv6. Then the victim asked again about the WPADR record but in this case searching for an IPv6 address. We confirmed, yes, this is the IPv6 of the web proxy out of the discovery server. Then the victim connects to the web server requesting the pack file with the information about the proxy. We sent that information with the IPv6 and the port in which AbleFOCA is listening. And the rest is just capturing the data. Bonus level. What happened with HTTPS connection? Well, there are several options. First one is to do an SSL strip. The idea is that we analyze all HTML pages and remove DS of the links. The second one is to use a fake digital certificate and trying to cheat the user to click on okay, I accept this digital certificate. And the third one is to do a bridging HTTPS. That means that FOCA is connecting to the server using HTTPS and the client is connecting to AbleFOCA using HTTPS. FOCA is doing SSL strip and bridging HTTPS so far and we added a special feature that is to remove the HTTPS links in Google results and also the redirect. So let's do the demo. We got here Google and if you can see, if we try to open Gmail, we are going to have an HTTP link but if we search for Facebook, we have the Facebook in Spanish, you know? Facebook in Spanish. And the link is an HTTP. We only need to click on it and then go to AbleFOCA and open Wireshark, here it is, open Wireshark, capture. Interface, start. And we got all traffic here and we only need to go here and test. Oh, come on. It's still loading. Evoal. Where is my password field? Evoal. FOCA. Where is the enter? No, no, don't remember. And if we go to the other part and we search for HTTP method, request method equal, equal post, we got the user and password of Facebook. Here it is. Well, it's money in the middle attack in IPv6, in IPv4 network using IPv6 in Spanish way and this was the demo. In this tool, we also added other different attacks just in case like denial of services in IPv6, money in the middle attacks in IPv4, denial of service in IPv6, DNS, hijacking, we are going to add also to inject a JavaScript to create a JavaScript bond net, remember the last year talk. And just a conclusion, IPv6 is in your network, configure it or kill it and it's not easy to kill it. IPv6, if you have security tools for IPv4, probably they are not working for IPv6. And right now there are a lot of security tools using IPv6 like Topera, which is our poor scanning using IPv6, slow load, it's migrate to IPv6. We got several vulnerabilities in IPv6, products and so on. And I will like to give big thanks to the people behind the hacker choice because they did a very, very, very good job with IPv6 tools. If you got backtrack or Kali use it because they got a lot of good tools and even SCAPI, SCAPI is wonderful to test all solutions. And the last war is for Street Fighter, who in the hell designed the Spanish fighter, half bullfighter, half Wolverine with a hockey mask, it doesn't make sense at all. See you next year.