A group of researchers from Neohapsis Labs released a tool last weekend during DEF CON that drops the time needed for a Man-in-the-Middle attack using IPv6 (SLAAC Attack), from hours down to minutes or less.
SLAAC, or Stateless Address Auto Configuration, is required on all IPv6 stack implementations. It's a mechanism, which allows a host to generate their own IPv6 addresses, even if routable addresses are assigned or pre-configured. This offers the host a unique, routable address on the network in the absence of DHCPv6. The concept of a SLAAC Attack was initially described in 2011, in RFC 6104, and was mostly found on wireless environments, but wired networks had issues too.
Not too long after RFC 6104 was drafted, InfoSec Institute researcher Alec Waters outlined how to carry out Man-in-the-Middle (MITM) attacks via the problems with SLAAC, which gained some attention in both the media and the security community. The problem was that Waters' method didn't work for some, or took several hours the first time through to set-up an attack, in addition to various bits of configuration that caused some trouble for people attempting to mirror his work.
When it comes to scope, SLAAC Attacks work on Windows Vista and Windows 7, out of the box. However, Windows XP is exempt due to its lack of IPv6 support. Windows 8 wasn't available at the time SLAAC became public, but researchers at Neohapsis Labs have worked out how to target Microsoft's latest OS, and they have simplified the SLAAC Attack with a new tool called Sudden Six.
At DEF CON last week, after their presentation on the topic, Neohapsis Labs released the Sudden Six tool publically. It automates the SLAAC Attack process initially described by Waters, and was primarily designed for pen testers. The tool also requires less prep-work and configuration, and works faster than the previous method.
In an email to CSO, Scott Behrens, head of Neohapsis Labs, and one of the presenters at DEF CON, said that attackers could easily weaponize an attack on a system using SLAAC, enabling them with a high degree of visibility and control.
"They could pretend to be an IPv6 router on your network and see all your web traffic, including data being sent to and from your machine. Even more lethal, the attacker could modify web pages to launch client-side attacks, meaning they could create fake websites that look like the ones you are trying to access, but send all data you enter back to [them]," he explained.
"One caveat to note is the attacker needs to be conducting the attack from inside your network. Although, with the prevalence of social engineering attacks, and drive by malware, this circumstance is all too common."
Sign up for CIO Asia eNewsletters.