IPv6 SLAAC Attack

I recently read the article “IPv6 at gunpoint” and decided to write in more detail about the SLAAC Attack, because I’ve been keeping this attack in my head for a long time, I didn’t find any developed material in Russian, and it was interesting to repeat it myself.

The essence of the attack

What is the essence of the attack? First, it is very simple and reliable, because uses standard OS technologies and tools. In fact, you simply become the only IPv6 router on the network and distribute to clients an IPv6 subnet from which clients take themselves addresses either automatically generating them (SLAAC) or asking your DHCPv6 server. Let me remind you that IPv6 is enabled by default in all modern desktop, mobile and server operating systems, takes precedence over IPv4 (except in some cases), an IPv6 address, unlike IPv4, can be obtained at any time, and not only at the time of connection, and major websites have long been accessible via IPv6. The attack works on both wired and wireless networks. Not all switches, even modern ones, support Router Advertisement filtering, and, I believe, not all include this function, even if it is supported by a switch, assuming that there is no IPv6 on the network, then there is no need to filter anything. By the way, at the moment, the Router Advertisement filter can be bypassed on all switches using the implementation flaws.
')
I was able to come up with two implementations of the attack:

Implementation number 1

With this method, you can only capture real IPv6 traffic to hosts that have AAAA recording. You will need an IPv6 subnet of length / 64 and some software for the Router Advertisement, I used dnsmasq. IPv6 subnet 6to4 will not work, because All 6to4 addresses have priority lower than IPv4, so you need to use a tunnel broker. We will distribute to clients only the address range itself, without DNS, and without using DHCPv6.

The dnsmasq daemon can take a subnet directly from the interface, for this it is enough to specify the following line in the configuration file:

dhcp-range=::, constructor:wlp3s0, ra-only 

Where wlp3s0 is a network interface, in my case, wireless. Install the globally routable subnet 2001:470::/64 on the interface, run dnsmasq, look in the wireshark:


All computers on the network immediately assigned themselves an IPv6 address and set a default route:

  % ip -6 r 2001:470:abcd::/64 dev enp4s0 proto kernel metric 256 expires 3542sec fe80::/64 dev enp4s0 proto kernel metric 256 default via fe80::223:15ff:fe5b:240c dev enp4s0 proto ra metric 1024 expires 1781sec 

Do not forget to enable routing!

 # sysctl net.ipv6.conf.all.forwarding=1 

The disadvantage of this implementation is that only IPv6 traffic will go through your router. Again, most likely, your computer's IPv4 address will be behind NAT, which means it may not be so easy to get an IPv6 subnet, since The most popular tunneling protocol, SIT, does not work for NAT. It is necessary to use either AYIYA tunneling, which is supported by a minority of tunnel brokers, or to invent their own forwarding schemes. The attack can be seen if the attacker uses any site with an IP binding. But, this attack is technically very simple and can be applied in just a minute.

Implementation number 2

What to do if the host we need does not have an IPv6 address, and we so want to make an inconspicuous MITM attack? There is a great way out of this situation - NAT64 + DNS64. NAT64 allows you to map the entire range of IPv4 to the / 96-range of IPv6 addresses, and DNS64 can give such addresses to clients.
Under Linux, there are three NAT64 daemons: TAYGA (userspace) and Ecdysis (kernelspace), Jool (kernelspace), and DNS64 support is found in Bind9, Unbound and the special totd demon, which is abandoned, but still compiled and running.
First of all, we have to choose some 2 subnets that we will distribute to our customers. The first subnet is needed to display the addresses, and the second for routing. I decided to use 2001:db8:1:ffff::/96 (from the “for documentation” range) as the first subnet, and fde4:8dba:82e1:ffff::/64 as the second subnet ( IPv6 ULA , analog of intranet ranges) in IPv4).

Migrate dnsmasq:

 dhcp-range=fde4:8dba:82e1:ffff::1, fde4:8dba:82e1:ffff::ff, slaac 

Specify our settings in TAYGA:

 prefix 2001:db8:1:ffff::/96 

And in totd:

 forwarder 74.82.42.42 port 53 prefix 2001:db8:1:ffff:: port 53 

And run all the demons. In the end, it turns out something like this:

 % dig aaaa habrahabr.ru ; <<>> DiG 9.9.2-P2 <<>> aaaa habrahabr.ru ;; ANSWER SECTION: habrahabr.ru. 2363 IN AAAA 2001:db8:1:ffff::d418:2c8d habrahabr.ru. 2363 IN AAAA 2001:db8:1:ffff::d418:2c85 

All traffic sent to the 2001 range: db8: 1: ffff :: / 96 will actually go through IPv4.

Unfortunately, the DNS is set only when connected, because Router Advertisement accepts the kernel, and to get the DNS you need DHCPv6, which the kernel no longer does. A similar behavior is observed in Windows 7 (I have not tried other versions).

Conclusion

I really like this attack. It is very simple, reliable and works where there is protection against ARP Spoofing and IPv4 ACL. There is another, but very similar in essence, attack - Rogue RA, which will allow you to perform MITM even if you have an existing IPv6 infrastructure, but about it some other time.