Security Basics mailing list archives

RE: Testing IPv6 Rogue Router Advertisements

From: "High, Richard" <Richard.High () KnowledgeCG com>
Date: Thu, 16 Aug 2012 18:26:02 +0000
André,

It seem you might be missing to crucial step of doing a ARP spoofing/poisoning for all network devices (including the 
server and router). Using Cain & Abel (www.oxid.it/cain.html) or dsniff (www.monkey.org/~dugsong/dsniff) you can change 
the ARP tables - the tables that store IP addresses to media access control (MAC) address mapping - on network hosts. 
This causes your router, server and client to send traffic to your BackTrack 5 machine (MITM) rather than to the true 
destination computer. ARP spoofing is used for MITM attacks. 

This is what you need to do:

1. BackTrack "attacker" poisons the ARP caches of victims Win7 and ServerW2k8 by using dsniff, ettercap, or any other 
utility that does this.
2. Win7 associates Attacker's MAC address with Server's IP address.
3. Server associates Attacker's MAC address with Win7's IP address.
4. Server's traffic and win7's traffic are sent to Attacker's IP address first.
5. Attacker's network analyzer captures Server's and Win7's traffic. 

If Attacker is configured to act like a router and forward packets, it forwards the traffic to its original 
destination. The original sender and receiver never know the difference. 

BackTrack 5 should have Cain & Abel for ARP poisoning

DISCLAIMER: ARP poisoning can be hazardous to your network's hardware and health, causing downtime and more. So be 
careful!

Perform the following steps to use Cain & Abel for ARP poisoning:

1. Load Cain & Abel and then click the Sniffer tab to enter the network analyzer mode.
The host page opens by default
2. Click the Start/Stop ARP icon (the yellow and black circle)
The ARP poison routing (how Cain & Abel refers to ARP poisoning) process starts and enables the built-in sniffer.
3. If prompted, select the network adaptor in the window that appears and then click OK.
4. Click the blue + icon to add hosts to perform ARP poisoning on.
5. In the MAC address Scanner window that appears, ensure the All Hosts in My Subnet option is selected and then click 
OK.
6. Click the APR tab (the one with the yellow-and-black circle icon) to load the APR page.
7. Click the white space under the uppermost Status column heading (just under the Sniffer tab).
This re-enables the blue +_ icon.
8. Click the blue + icon and the New ARP Poison Routing window shows the hosts discovered in Step 3.
9. Select your default route (in my case, 10.11.12.1).
The right-hand column fills with all the remaining hosts.
10. Ctrl +click all the hosts in the right column that you want to poison. 
11. Click OK and the ARP poisoning process starts.
This process can take anywhere from a few seconds to a few minutes depending on your network hardware and each hosts' 
local TCP/IP stack. 
12. You can use Cain & Abel's built-in passwords feature to capture passwords traversing the network to and from 
various hosts simply by clicking the Passwords tab. 

Hope this helps.

-Rico.Suave

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of André Gasser
Sent: Wednesday, August 15, 2012 6:08 PM
To: security-basics () securityfocus com
Subject: Testing IPv6 Rogue Router Advertisements

Hello all,

I' am currently doing some tests using fake_router6 from the THC IPv6 Attack Suite [1]. But I face some problems 
establishing a full MITM situation. Has anybody done such tests him/herself? IF yes, I would be glad to get some 
inputs. Please find below some information on my testing scenario.

Test environment:
-----------------
I use a Cisco 3750G device using the latest Cisco ISO 12.2(55)SE6.
Directly attached to this router are two links:

The Router:
  - Has two links directly attached.
      - Link1: Prefix fc00:0:0:1::/64
      - Link2: Prefix fc00:0:0:2::/64
  - Has a static IPv6 address for each link:
      - Link1: fc00:0:0:1::1
      - Link2: fc00:0:0:2::1
  - Announces prefix fc00:0:0:2::/64 to Link1 to enable
    SLAAC on that link.

  - Link1 runs the following machines:
      - Windows Server 2008 using static IP
  - Link2 runs the following machines:
      - Windows 7 Professional (the victim, using SLAAC)
      - BackTrack 5 R3 (the attacker, using SLAAC)

What I want to test / verify:
-----------------------------
Using BackTrack 5 I want to establish a MITM situation in which the BackTrack host establishes itself as an additional 
hop between the Windows 7 client and the Windows Server 2008 machine.

Where is the problem?
---------------------
I am able to get the traffic routet through BackTrack. BackTrack forwards the packet to the legitimate router and it 
successfully reaches its target, the Windows Server 2008. But then, the response packet does not pass the BackTrack 
machine, furthermore it is directly forwarded to the Windows 7 host by the legitimate router. This means I am only able 
to MITM on outgoing traffic, coming from Windows 7. I'm by no means a routing expert, but as far as I understand, the 
legitimate router processes the response packes correct by forwarding it directly to the Windows 7 host, as it 
recognizes that the Windows 7 host is directly attached (by checking the prefix).

I call fake_router6 on BackTrack this way

I run the foll./fake_router6 eth0 2001:db8:bad:bad::/64


Unfortunately I failed at finding some detailed examples on conducting this attack. What I found is this (see [2]), but 
the author does not describe the setup in detail and the picture does not reveal all the interesting details.

My questions so far:
--------------------
- Can a full MITM scenario be achieved or is it really reduced to
  outgoing traffic (Windows 7 host to Windows Server 2008)?
- Can the same prefix as the legitimate router announces, be announced
  using fake_router6? Since they differ in priority (medium, high), I
  think this should not be of an issue.


I really appreciate some thoughts on this from you. Hopefully, my explanations were detailled enough to understand the 
issue.

Thank you so much.

Best regards,
André



[1] http://thc.org/thc-ipv6/
[2] http://keepingitclassless.net/2011/09/ipv6-hacking-thc-ipv6-part-2/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Current thread:

Testing IPv6 Rogue Router Advertisements André Gasser (Aug 16)
- RE: Testing IPv6 Rogue Router Advertisements High, Richard (Aug 16)
- <Possible follow-ups>
- Re: RE: Testing IPv6 Rogue Router Advertisements cipherwar (Aug 16)