1 00:00:00,000 --> 00:00:01,250 CHEMA ALONSO: Hello. 2 00:00:01,250 --> 00:00:02,501 Good morning, hackers. 3 00:00:02,501 --> 00:00:04,999 (Cheers.) CHEMA ALONSO: Hello, everybody. 4 00:00:04,999 --> 00:00:06,125 Good morning, everybody. 5 00:00:06,125 --> 00:00:06,125 Thank you to coming to the session 6 00:00:06,125 --> 00:00:07,834 about attacking IPv4 network. 7 00:00:07,999 --> 00:00:10,667 I'm Chema Alonso from Spain. 8 00:00:10,999 --> 00:00:15,999 This is the sixth occasion that I'm speaking here at DEF CON. 9 00:00:15,999 --> 00:00:19,834 Year after year before delivering the talk, I have been trying 10 00:00:19,834 --> 00:00:23,667 to convince you to come to my country. 11 00:00:23,959 --> 00:00:28,167 How many of you have been to Spain in the last six years, please? 12 00:00:28,167 --> 00:00:29,167 Hands up? 13 00:00:29,417 --> 00:00:30,417 Very well! 14 00:00:30,834 --> 00:00:32,167 Did you enjoy Spain? 15 00:00:32,417 --> 00:00:36,626 (Cheers.) CHEMA ALONSO: For the rest of you I have been convincing 16 00:00:36,626 --> 00:00:40,667 you year after year, talking about the beaches, the parties, 17 00:00:40,667 --> 00:00:44,999 the beaches, the parties, the bullfighters, so on. 18 00:00:44,999 --> 00:00:48,584 This time I'm going to try a different approach. 19 00:00:48,584 --> 00:00:52,584 I try to convince you to visit my country by doing 20 00:00:52,584 --> 00:00:55,250 a history of Spain. 21 00:00:55,250 --> 00:00:57,999 History of Spain in only one minute. 22 00:00:57,999 --> 00:00:58,999 Is okay for you? 23 00:00:58,999 --> 00:01:01,876 (Cheers and applause.) CHEMA ALONSO: 24 00:01:01,876 --> 00:01:08,125 Well, 2000 years ago -- (Laughter.) CHEMA ALONSO: Spain was 25 00:01:08,125 --> 00:01:10,918 a Roman country. 26 00:01:11,083 --> 00:01:13,876 In fact, we have some of the best Roman Emperors, 27 00:01:13,876 --> 00:01:17,375 like Vispasian and Trajan, born in Spain. 28 00:01:18,167 --> 00:01:22,999 And if you visit Spain you can discover in the middle of the city a lot 29 00:01:22,999 --> 00:01:27,876 of Roman monuments like this in Segovia and this in Merida. 30 00:01:27,876 --> 00:01:31,918 All of the country is full of these monuments. 31 00:01:32,083 --> 00:01:36,375 Centuries after, Spain was a medieval country. 32 00:01:36,375 --> 00:01:40,999 If you visit the country you find a lot of castles. 33 00:01:41,834 --> 00:01:44,792 There are hundreds and hundreds of castles. 34 00:01:44,999 --> 00:01:46,667 You can visit all of them. 35 00:01:46,667 --> 00:01:48,667 Even you can buy it if you have enough money 36 00:01:48,667 --> 00:01:51,918 because some of them are for sale. 37 00:01:51,918 --> 00:01:53,501 It is true; it is not a joke. 38 00:01:53,667 --> 00:01:58,292 After that, Spain was an Arabic country, seven centuries being 39 00:01:58,292 --> 00:02:00,751 an Arabic country. 40 00:02:00,751 --> 00:02:03,999 If you visit Spain you will discover that there are a lot 41 00:02:03,999 --> 00:02:07,542 of mosques around the country, with beautiful monuments 42 00:02:07,542 --> 00:02:09,876 in all the country. 43 00:02:10,083 --> 00:02:13,375 After that, Spain was an empire. 44 00:02:13,417 --> 00:02:14,792 Probably you know it. 45 00:02:15,083 --> 00:02:19,918 And like Spain was an empire, all great artists wanted to work 46 00:02:19,918 --> 00:02:21,999 for the empire. 47 00:02:21,999 --> 00:02:24,167 So in Spain there are a lot of museums 48 00:02:24,167 --> 00:02:28,584 with great artists' paintings like this. 49 00:02:28,709 --> 00:02:31,542 So are you going to visit Spain, please? 50 00:02:31,542 --> 00:02:33,709 (Cheers and applause.) CHEMA ALONSO: 51 00:02:33,709 --> 00:02:38,083 Well, we are not an empire anymore, as you know. 52 00:02:38,667 --> 00:02:40,167 Let's talk about FOCA. 53 00:02:40,167 --> 00:02:41,709 How many of you know FOCA? 54 00:02:41,999 --> 00:02:44,125 How many of you love FOCA? 55 00:02:44,250 --> 00:02:48,292 Today I'm going to talk about another FOCA. 56 00:02:48,292 --> 00:02:50,417 It is not the FOCA that you probably know. 57 00:02:52,292 --> 00:02:55,999 It is a FOCA based on hacking networks. 58 00:02:55,999 --> 00:02:58,667 The idea of this tool is that probably most of the users, 59 00:02:58,667 --> 00:03:02,918 any time in their life had tried a very dangerous command in their, 60 00:03:02,918 --> 00:03:04,459 IP config. 61 00:03:07,209 --> 00:03:12,292 It is very dangerous and difficult to understand this command. 62 00:03:12,292 --> 00:03:15,209 As you can see, in Spain, because Spain is better ... 63 00:03:15,209 --> 00:03:18,834 (Laughter.) CHEMA ALONSO: And as you can see, there 64 00:03:18,834 --> 00:03:22,792 is a special magic in the result that you can see 65 00:03:22,792 --> 00:03:26,999 because if you ask to any user that type this command 66 00:03:26,999 --> 00:03:32,083 what is the IP address, all users are going to say 192.106A.1, 67 00:03:32,083 --> 00:03:33,584 so on. 68 00:03:35,334 --> 00:03:40,501 Nobody can see the IP address on top of their list. 69 00:03:41,834 --> 00:03:43,999 Have you seen that IP address? 70 00:03:44,083 --> 00:03:45,083 The victim? 71 00:03:45,083 --> 00:03:46,083 Yeah? 72 00:03:46,083 --> 00:03:49,999 Most of you when realize that there is something on top of the IP address, 73 00:03:49,999 --> 00:03:52,334 do something like this. 74 00:03:52,584 --> 00:03:55,876 (Laughter.) CHEMA ALONSO: Well, the truth is that 75 00:03:55,876 --> 00:04:00,334 in all Windows operating systems, IPv6 is working by results, it 76 00:04:00,334 --> 00:04:02,250 is turned on. 77 00:04:02,250 --> 00:04:05,334 So you go to test your network configuration, 78 00:04:05,334 --> 00:04:09,999 you can realize that IPv6 is turning on and by default 79 00:04:09,999 --> 00:04:12,999 is configured like this. 80 00:04:13,083 --> 00:04:15,542 It is in Spain, you know about it? 81 00:04:15,999 --> 00:04:19,459 That means automatically configuration. 82 00:04:20,375 --> 00:04:27,918 That means that IPv6 is waiting to be configured to run on the machine. 83 00:04:27,918 --> 00:04:28,918 But it is working. 84 00:04:28,918 --> 00:04:32,083 And if you test the roting table you can realize that you 85 00:04:32,083 --> 00:04:36,792 have all the roll team table for IPv6 installed in your computer 86 00:04:36,792 --> 00:04:39,918 and even one of the most dangerous commands, 87 00:04:39,918 --> 00:04:41,459 the ping. 88 00:04:41,999 --> 00:04:43,125 Ping is working. 89 00:04:43,667 --> 00:04:46,459 So I'm going to do a demo, an easy one. 90 00:04:46,792 --> 00:04:48,667 I've got two machines. 91 00:04:48,709 --> 00:04:51,417 One of those is this blue. 92 00:04:51,417 --> 00:04:52,792 The blue is the server. 93 00:04:52,792 --> 00:04:57,501 And as you can see we have an IPv6 address and an IPv4. 94 00:04:58,584 --> 00:05:02,918 The IPv6 is FA -- whatever. 95 00:05:02,999 --> 00:05:08,083 And the IPv4 is 192, 168, ten, one. 96 00:05:08,083 --> 00:05:12,918 If we go to the client to the other machine, which 97 00:05:12,918 --> 00:05:21,999 is the red one and try to do a ping to the IP before -- to the IPv4, 100 what? 98 00:05:24,834 --> 00:05:28,209 192.168.10.1, it is working. 99 00:05:28,375 --> 00:05:32,083 We try to discover what is the name of this server? 100 00:05:32,083 --> 00:05:35,209 We got that the name is share. 101 00:05:35,292 --> 00:05:42,709 If we try the IPv6 address, of course it is working as well. 102 00:05:42,709 --> 00:05:48,459 If we do something like ping, the name, then magic occurs 103 00:05:48,459 --> 00:05:55,626 because by default Windows tried to connect using IPv6. 104 00:05:55,626 --> 00:05:58,250 But probably all of you are aware of this. 105 00:05:58,250 --> 00:05:59,250 This is true? 106 00:05:59,751 --> 00:06:00,751 Yeah. 107 00:06:00,751 --> 00:06:03,792 And you are taking care of IPv6 attacks for sure. 108 00:06:04,083 --> 00:06:11,083 (Laughter.) CHEMA ALONSO: Well, this said, the idea of IPv6 is that 109 00:06:11,083 --> 00:06:16,083 in Windows machine, both protocols are working 110 00:06:16,083 --> 00:06:18,999 at the same time. 111 00:06:18,999 --> 00:06:21,375 Depending on the configuration of your network, the machine 112 00:06:21,375 --> 00:06:23,999 is going to use IPv4 or IPv6. 113 00:06:23,999 --> 00:06:26,375 If you have an IPv4 network fully configure rated 114 00:06:26,375 --> 00:06:29,125 with the main controller, with the DNS and 115 00:06:29,125 --> 00:06:33,999 all the computers are in the DNS and all of them working with the IPv4, 116 00:06:33,999 --> 00:06:39,167 then the New York is going to work as an IPv4 network by default. 117 00:06:39,167 --> 00:06:41,167 But if you are in a local network connected 118 00:06:41,167 --> 00:06:44,834 with other computers from different parts, they are not 119 00:06:44,834 --> 00:06:46,876 in the same DNS. 120 00:06:46,876 --> 00:06:49,083 They are not in the same domain controller, 121 00:06:49,083 --> 00:06:52,999 then IPv6 will appear a lot of times. 122 00:06:54,083 --> 00:06:59,501 This is due because in Windows Vista, Microsoft added this protocol, 123 00:06:59,501 --> 00:07:02,999 local eManager which is a protocol that tries 124 00:07:02,999 --> 00:07:09,083 to discover what is the IP address of a computer in the network. 125 00:07:09,083 --> 00:07:12,501 It is working only in the local network, in the local segment. 126 00:07:12,501 --> 00:07:15,999 As you can see it is trying to discover the IP address 127 00:07:15,999 --> 00:07:19,459 of the computer for any protocol. 128 00:07:19,459 --> 00:07:23,999 So it is trying to query the DNS as a router is trying to -- 129 00:07:23,999 --> 00:07:30,959 the IPv6 network is trying to do a broadcasting discovery -- sorry. 130 00:07:35,083 --> 00:07:36,459 Whatever. 131 00:07:36,459 --> 00:07:38,999 In the end, when local eManager discovered 132 00:07:38,999 --> 00:07:45,250 the IP address of the destination server, it is possible to connect using IPv6, 133 00:07:45,250 --> 00:07:49,375 then it is going to connect using IPv6. 134 00:07:50,083 --> 00:07:53,959 Once we have the IP address, we need the physical address 135 00:07:53,959 --> 00:07:58,083 to discover the physical address in IPv4 we are using ARP, but ARP 136 00:07:58,083 --> 00:08:01,083 is not working in IPv6 anymore. 137 00:08:01,083 --> 00:08:05,709 If you have a security solution to detect attacking with ARP, it 138 00:08:05,709 --> 00:08:09,209 is good for IPv4 but not IPv6. 139 00:08:09,542 --> 00:08:14,999 We are using a different protocol, which is a neighbor discovery protocol 140 00:08:14,999 --> 00:08:19,083 based on two different, they are neighbor solicitation and 141 00:08:19,083 --> 00:08:22,959 in the end neighbor solicitation and -- are working 142 00:08:22,959 --> 00:08:27,083 in the same way that ARP, but it is not ARP. 143 00:08:27,083 --> 00:08:29,375 That is important. 144 00:08:29,459 --> 00:08:32,334 We got a table also in which we connect 145 00:08:32,334 --> 00:08:36,542 the IPv6 address with the physical address. 146 00:08:36,999 --> 00:08:39,999 In IPv4, it is the ARP table. 147 00:08:39,999 --> 00:08:41,999 In IPv6 it is the neighbor table. 148 00:08:41,999 --> 00:08:42,999 It is in your computer. 149 00:08:43,083 --> 00:08:47,999 You can query the table using that command. 150 00:08:48,999 --> 00:08:53,501 This said, how it works is like this. 151 00:08:53,501 --> 00:08:56,999 Someone is trying to discover the physical address 152 00:08:56,999 --> 00:08:59,667 of an IPv6 computer. 153 00:08:59,667 --> 00:09:05,417 Then send messages to FF auto, which is multicast address. 154 00:09:05,834 --> 00:09:10,459 Querying for the IPv6 address in which it is interested. 155 00:09:10,459 --> 00:09:12,417 In this case, this one. 156 00:09:12,417 --> 00:09:14,999 The computer with this IPv6 address and 157 00:09:14,999 --> 00:09:21,334 in this case this one, is going to answer with the physical address. 158 00:09:21,334 --> 00:09:22,959 It is very easy to understand. 159 00:09:22,959 --> 00:09:23,959 It is the same done. 160 00:09:24,626 --> 00:09:30,375 That means perform -- this environment is very easy. 161 00:09:30,375 --> 00:09:34,375 We only need to send two packets, like ARP, it is very easy. 162 00:09:34,999 --> 00:09:40,083 We need to send a packet to one of the computers, spoofing 163 00:09:40,083 --> 00:09:44,626 the IPv6 address of the other and then do the same 164 00:09:44,626 --> 00:09:47,709 with the other machine. 165 00:09:47,709 --> 00:09:50,959 Only two packets and we have the man in the middle like in ARP. 166 00:09:51,083 --> 00:09:54,417 Let's do a quick and easy demo, Level 1. 167 00:09:54,542 --> 00:09:58,626 Very easy to understand in this environment. 168 00:09:58,626 --> 00:10:01,000 But before doing it, you don't have to take 169 00:10:01,000 --> 00:10:03,999 into account that we are Spanish. 170 00:10:04,083 --> 00:10:05,417 So we are lazy. 171 00:10:05,876 --> 00:10:11,042 (Laughter.) CHEMA ALONSO: We need tools for work. 172 00:10:11,709 --> 00:10:14,751 So we created the Evil FOCA, okay? 173 00:10:14,999 --> 00:10:18,167 In this demo, we have three machines. 174 00:10:19,292 --> 00:10:22,999 The blue one is a server. 175 00:10:22,999 --> 00:10:27,959 The red one is the victim, is the client. 176 00:10:27,999 --> 00:10:30,083 The black one is the Evil FOCA. 177 00:10:30,375 --> 00:10:37,417 So we only need to do something like open Wireshark, open Evil FOCA, 178 00:10:37,417 --> 00:10:43,125 yes, then Evil FOCA discovered the network. 179 00:10:43,584 --> 00:10:44,584 Yes. 180 00:10:44,999 --> 00:10:47,876 Drag, drag, click. 181 00:10:48,667 --> 00:10:50,209 And that's all. 182 00:10:50,209 --> 00:10:51,209 Okay? 183 00:10:55,918 --> 00:11:01,083 (Applause.) (Cheers and applause.) CHEMA ALONSO: So 184 00:11:01,083 --> 00:11:07,083 if we go to Wireshark, if we go to Wireshark in this machine, 185 00:11:07,083 --> 00:11:13,250 we start to capture information, capture interfaces. 186 00:11:15,250 --> 00:11:18,542 And we do something very easy. 187 00:11:18,542 --> 00:11:28,876 Go to the client and from the client to server, connect to the server. 188 00:11:28,876 --> 00:11:29,876 Open a document. 189 00:11:29,876 --> 00:11:31,459 With my pass wore. 190 00:11:31,459 --> 00:11:36,999 And then we go to the FOCA, the old FOCA. 191 00:11:36,999 --> 00:11:39,584 We only need to do follow this BS extreme 192 00:11:39,584 --> 00:11:41,751 and that's it. 193 00:11:41,751 --> 00:11:44,459 We got all the information and we define, to search 194 00:11:44,459 --> 00:11:47,751 for the password and here it is. 195 00:11:49,334 --> 00:11:50,751 Okay? 196 00:11:50,751 --> 00:11:51,999 Very easy to understand. 197 00:11:51,999 --> 00:11:58,626 (Applause.) CHEMA ALONSO: Well, this is very easy. 198 00:11:58,626 --> 00:11:59,626 It's Level 1. 199 00:12:00,083 --> 00:12:05,083 I am going to stop the server. 200 00:12:05,083 --> 00:12:06,792 I don't need the server anymore. 201 00:12:06,876 --> 00:12:12,083 And now we are going to get into the Level 2. 202 00:12:12,083 --> 00:12:15,083 The idea of Level 2 is, okay, we have the IPv6 in the network, 203 00:12:15,083 --> 00:12:17,834 but I want to be a man in the middle when 204 00:12:17,834 --> 00:12:20,626 the bit thing connects to the Internet which 205 00:12:20,626 --> 00:12:22,918 is working on IPv4. 206 00:12:22,918 --> 00:12:23,999 That is the challenge. 207 00:12:24,083 --> 00:12:27,918 This is the demo that I did it, in case it didn't work. 208 00:12:27,999 --> 00:12:31,626 The second, in the second demo, it is a slack attack. 209 00:12:31,626 --> 00:12:35,209 Yesterday there was a talk, talking about this. 210 00:12:35,209 --> 00:12:37,209 We released this tool in March. 211 00:12:37,209 --> 00:12:39,876 Is public this tool in March when this attack. 212 00:12:39,876 --> 00:12:40,999 The idea is simple. 213 00:12:40,999 --> 00:12:45,918 In IPv6 there are a lot of computers, there are big IP address and it would be 214 00:12:45,918 --> 00:12:51,999 impossible for a system manager to manage all the roads on the network. 215 00:12:51,999 --> 00:12:58,501 I have 3,000 routers, and computers, it would be a mess. 216 00:12:58,542 --> 00:13:01,334 The idea from the beginning, you don't have to worry 217 00:13:01,334 --> 00:13:05,209 about the default guide way because we will create a protocol 218 00:13:05,209 --> 00:13:07,792 to figure the computer. 219 00:13:09,999 --> 00:13:13,999 This is the idea is quite simple. 220 00:13:13,999 --> 00:13:17,375 When a computer with IPv6 needs to connect to the Internet, ask 221 00:13:17,375 --> 00:13:22,792 for a router with a package called router solicitation and if there, if there 222 00:13:22,792 --> 00:13:27,876 is a router in the network, answer with the neighbor advertisement saying 223 00:13:27,876 --> 00:13:31,417 hey, here are router, here are friend. 224 00:13:31,876 --> 00:13:34,999 After that the computer configures automatically 225 00:13:34,999 --> 00:13:40,125 an IPv6 network that has connectivity with the router and configured 226 00:13:40,125 --> 00:13:43,834 the router as the fall guide way. 227 00:13:43,834 --> 00:13:45,876 Very easy to do and understand. 228 00:13:45,876 --> 00:13:48,459 That protocol configures the default guide way. 229 00:13:48,459 --> 00:13:49,459 But not the DNS. 230 00:13:49,999 --> 00:13:51,584 Not always. 231 00:13:51,667 --> 00:13:56,083 You can also a rogue DHCP to configure, but it 232 00:13:56,083 --> 00:14:01,083 is not necessarily because in Windows machines there 233 00:14:01,083 --> 00:14:07,334 is a special protocol which is the DNS auto discovery. 234 00:14:07,959 --> 00:14:12,209 If your computer doesn't have any DNS configured by default, 235 00:14:12,209 --> 00:14:15,876 you use these three IP address. 236 00:14:15,876 --> 00:14:19,167 That means that if someone configures that IP address 237 00:14:19,167 --> 00:14:24,626 in your network, it will be the DNS in your network. 238 00:14:24,626 --> 00:14:26,999 You need to take care of this IP address. 239 00:14:26,999 --> 00:14:29,167 So to do the attack is very easy 240 00:14:29,167 --> 00:14:34,751 because all Web browsers are ready to work with IPv6. 241 00:14:34,999 --> 00:14:38,999 This is the procedure which is really for IPv6. 242 00:14:38,999 --> 00:14:43,334 In Google Chrome is activated, IPv6 is activated by default. 243 00:14:45,999 --> 00:14:49,959 If the guy is using Google Chrome, you cannot do this attack. 244 00:14:49,959 --> 00:14:50,999 You can do the next one. 245 00:14:50,999 --> 00:14:51,999 Don't worry. 246 00:14:52,250 --> 00:14:55,959 (Chuckles.) CHEMA ALONSO: There are several situations 247 00:14:55,959 --> 00:14:58,918 in which IPv6 attacks are not working very well 248 00:14:58,918 --> 00:15:02,501 because Windows have very special behavior. 249 00:15:02,501 --> 00:15:07,375 If you have IPv4 and IPv6 fully configured with the DNS and 250 00:15:07,375 --> 00:15:10,999 the default gateway, then Windows used 251 00:15:10,999 --> 00:15:15,667 the DNS configured in the IPv4 protocol. 252 00:15:15,667 --> 00:15:19,751 It makes sense because in the end, DNS is supposed to be only one copy 253 00:15:19,751 --> 00:15:22,209 in the whole Internet. 254 00:15:22,209 --> 00:15:27,167 So it doesn't matter in connecting to the DNS using IPv4 or IPv6. 255 00:15:27,167 --> 00:15:30,375 In Windows they choose to use IPv4 protocol to connect 256 00:15:30,375 --> 00:15:32,125 to the DNS. 257 00:15:32,459 --> 00:15:38,167 If you don't have IPv4 fully configured, if the DHCP is giving you 258 00:15:38,167 --> 00:15:43,459 the default gateway, if we configure IPv6, the computer 259 00:15:43,459 --> 00:15:46,959 is going to use the IPv6. 260 00:15:46,959 --> 00:15:52,876 But in some cases by default it is searching for DNS record 261 00:15:52,876 --> 00:15:55,626 of IPv4 address. 262 00:15:56,501 --> 00:16:00,292 Than means that if we want to create a special man 263 00:16:00,292 --> 00:16:04,584 in the middle using IPv6 between the client and the man 264 00:16:04,584 --> 00:16:08,209 in the middle we need to reconstruct the answers 265 00:16:08,209 --> 00:16:10,501 to IPv6 records. 266 00:16:10,959 --> 00:16:19,125 And of course, if we got IPv6 than and IPv4 only in local link, 267 00:16:19,125 --> 00:16:22,959 sorry -- I am sick. 268 00:16:22,959 --> 00:16:28,501 And if we have IPv6 and IPv4 with local link, the DNS is going 269 00:16:28,501 --> 00:16:35,999 to be using IPv6 and is going to be querying DNS of IPv6 address. 270 00:16:35,999 --> 00:16:39,751 But it is very easy to change the behavior 271 00:16:39,751 --> 00:16:46,501 because if the client asks for DNS query searching for an IPv4, 272 00:16:46,501 --> 00:16:53,334 you can respond with an IPv6 and everything goes well. 273 00:16:53,334 --> 00:16:54,417 So don't worry at all. 274 00:16:55,250 --> 00:16:59,125 So what is Evil FOCA doing in this attack? 275 00:16:59,125 --> 00:17:00,417 The idea is quite simple. 276 00:17:00,417 --> 00:17:03,584 Evil FOCA is going to be this guy. 277 00:17:03,584 --> 00:17:08,083 Using network installation 624 and DNS624. 278 00:17:08,083 --> 00:17:11,501 The idea is we are going to configure -- Ooooo! 279 00:17:14,584 --> 00:17:18,417 We are going to configure this, configure the slack attack 280 00:17:18,417 --> 00:17:21,667 to configure the default gateway. 281 00:17:23,999 --> 00:17:27,999 It automatically is going to configure the DNS how to discover 282 00:17:27,999 --> 00:17:32,999 to connect to the Internet and DNS how to discover is IPv6. 283 00:17:32,999 --> 00:17:33,999 So we are in the middle. 284 00:17:33,999 --> 00:17:36,999 We are going to capture all DNS queries. 285 00:17:37,334 --> 00:17:41,501 So when he asks for an IPv4 URL, for example, 286 00:17:41,501 --> 00:17:47,501 www.DEFCON.org which is only working IPv4, then that query 287 00:17:47,501 --> 00:17:52,999 is going to be sent to the default gateway. 288 00:17:52,999 --> 00:17:54,918 We are going to intercept the query. 289 00:17:55,125 --> 00:17:59,250 We are going to ask for the real IPv4 on the Internet. 290 00:18:00,083 --> 00:18:04,459 Then we are going to compare the IPv4 to an IPv6 address and give 291 00:18:04,459 --> 00:18:08,999 the IPv6 address to the client and then the client is going to send 292 00:18:08,999 --> 00:18:12,584 the IPv6 query to the default gateway and we are going 293 00:18:12,584 --> 00:18:17,250 to translate the IPv6 to IPv4 and send to the server and get the answer 294 00:18:17,250 --> 00:18:20,999 and then it is very easy to understand. 295 00:18:20,999 --> 00:18:23,999 (Cheers and laughter.) CHEMA ALONSO: But 296 00:18:23,999 --> 00:18:26,999 you know, we are Spanish. 297 00:18:27,999 --> 00:18:30,125 So let's do the demo. 298 00:18:30,125 --> 00:18:32,083 The idea in the first demo, we only need to send two packets 299 00:18:32,083 --> 00:18:34,417 to make one follow the other. 300 00:18:34,501 --> 00:18:39,834 In this example we need to send the packet to configure the slack attack. 301 00:18:39,834 --> 00:18:42,999 Then we need to do all the translation. 302 00:18:42,999 --> 00:18:46,876 And in Evil FOCA, we need to do this. 303 00:18:46,876 --> 00:18:51,167 First of all, I am going to spend a lot of money using my Spanish mobile 304 00:18:51,167 --> 00:18:54,999 phone, but I need Internet connection. 305 00:18:57,959 --> 00:18:59,209 So connect. 306 00:19:02,250 --> 00:19:03,751 Okay. 307 00:19:03,792 --> 00:19:07,999 Let's see if I have Internet connection. 308 00:19:14,584 --> 00:19:16,125 Please, please, please. 309 00:19:16,125 --> 00:19:17,959 Okay, I got Internet connection. 310 00:19:18,459 --> 00:19:21,999 Then I got the Evil FOCA. 311 00:19:24,083 --> 00:19:27,083 I got the Evil FOCA and the victim. 312 00:19:27,083 --> 00:19:35,083 And I am going to do something like open Evil FOCA. 313 00:19:35,125 --> 00:19:37,083 I am going to the big thing. 314 00:19:37,375 --> 00:19:43,584 I'm going -- I'm going to the victim. 315 00:19:43,584 --> 00:19:46,083 I'm going to -- the network adapter in case something was to start 316 00:19:46,083 --> 00:19:48,209 from the previous demo. 317 00:19:48,334 --> 00:19:49,334 That's all. 318 00:19:49,834 --> 00:19:56,292 And all that we need to do is something like go to Evil FOCA. 319 00:19:56,292 --> 00:20:01,751 (Chuckles.) CHEMA ALONSO: And then select slack. 320 00:20:01,751 --> 00:20:14,876 Just click here and start. 321 00:20:14,876 --> 00:20:15,876 That's ... 322 00:20:15,876 --> 00:20:16,876 That's all. 323 00:20:16,876 --> 00:20:18,834 (Applause.) CHEMA ALONSO: If we try to do something like, this 324 00:20:18,834 --> 00:20:21,167 is in the host machine. 325 00:20:21,167 --> 00:20:22,876 This is the host machine. 326 00:20:22,876 --> 00:20:27,667 If I try to connect to the DNS and search 327 00:20:27,667 --> 00:20:36,542 for an IPv6 address for DEFCON.org, as you can see there is not 328 00:20:36,542 --> 00:20:46,250 an IPv6 address for DEFCON.org and if we go to the victim and we open 329 00:20:46,250 --> 00:20:55,334 the Web browser, and we search for www.google.com or DEFCON.org, 330 00:20:55,334 --> 00:20:59,501 everything is working. 331 00:21:01,083 --> 00:21:03,334 Google and DEF CON. 332 00:21:10,999 --> 00:21:16,667 And if we search for the IP address that we are using 333 00:21:16,667 --> 00:21:20,999 to connect, ping www.DEFCON.org. 334 00:21:22,959 --> 00:21:27,417 It is an IPv6 because we are changing the IPv4 335 00:21:27,417 --> 00:21:31,626 to IPv6 and as you can see we are browsing 336 00:21:31,626 --> 00:21:33,999 the Internet. 337 00:21:42,959 --> 00:21:48,834 (Applause.) CHEMA ALONSO: Well, this is the demo, just in case. 338 00:21:48,999 --> 00:21:49,999 Level three. 339 00:21:50,125 --> 00:21:51,542 Well, this is Level 3. 340 00:21:51,667 --> 00:21:55,250 We are not published this version of Evil FOCA yet. 341 00:21:55,250 --> 00:21:57,999 But next week you will have this version available. 342 00:21:57,999 --> 00:22:01,918 And the idea is to use the Web browser how 343 00:22:01,918 --> 00:22:05,959 to discover protocol in IPv6. 344 00:22:05,959 --> 00:22:07,083 The idea is quite simple. 345 00:22:08,083 --> 00:22:14,876 Automatic by default all Web browsers, Google Chrome, Internet Explorer, 346 00:22:14,876 --> 00:22:20,292 Mozilla 5.4 are searching for Web browsing, to discover what 347 00:22:20,292 --> 00:22:23,834 is the Web browser they are searching 348 00:22:23,834 --> 00:22:29,918 for in a special record in the DNS, which is Web browser discovery 349 00:22:29,918 --> 00:22:35,918 with WPAD and then connect to that IP address and that IP address 350 00:22:35,918 --> 00:22:41,918 is supposed to have a server and the server gives a special final 351 00:22:41,918 --> 00:22:48,459 and that special file gives the IP address of the Web server. 352 00:22:48,459 --> 00:22:50,542 In this case, the proxy server. 353 00:22:50,542 --> 00:22:57,250 In this case we are going to use an IPv6 proxy with Evil FOCA. 354 00:22:57,250 --> 00:23:00,999 The idea is that Evil FOCA is going to do everything for you. 355 00:23:02,959 --> 00:23:06,584 Evil FOCA configures the D sensor to WPAD and listens 356 00:23:06,584 --> 00:23:12,083 in the IPv6 network and routes all traffic between IPv4 and IPv6. 357 00:23:12,167 --> 00:23:13,959 Let's do a demo. 358 00:23:15,125 --> 00:23:21,751 And then we only need to -- I am going to ... 359 00:23:23,999 --> 00:23:27,834 disable and enable the network interface. 360 00:23:28,959 --> 00:23:37,209 And I am going to, everything from the beginning. 361 00:23:38,167 --> 00:23:39,834 Disable. 362 00:23:39,999 --> 00:23:41,459 And enable. 363 00:23:43,584 --> 00:23:49,209 And then go to Evil FOCA. 364 00:23:50,999 --> 00:23:58,999 Open Evil FOCA and then we select Web proxy, discovery, and click 365 00:23:58,999 --> 00:24:01,709 and that's it. 366 00:24:01,751 --> 00:24:04,292 And right now we have here that we are working the man 367 00:24:04,292 --> 00:24:06,999 in the middle attack for Web browser discovery 368 00:24:06,999 --> 00:24:09,834 and then we need to wait until Web browser auto 369 00:24:09,834 --> 00:24:11,959 discovery appeared. 370 00:24:14,876 --> 00:24:18,709 Let's open Internet Explorer. 371 00:24:18,959 --> 00:24:20,959 Let's close Internet Explorer. 372 00:24:21,083 --> 00:24:23,918 And let's open it again. 373 00:24:25,250 --> 00:24:29,334 And let's see, okay. 374 00:24:29,334 --> 00:24:37,876 Now the proxy is up and the client has requested the file. 375 00:24:38,083 --> 00:24:41,667 So everything is okay. 376 00:24:41,751 --> 00:24:43,626 We can do something like Google.com. 377 00:24:49,417 --> 00:24:52,751 Let's see if the Internet is working very well. 378 00:24:58,918 --> 00:25:04,999 Google, Google. 379 00:25:05,375 --> 00:25:07,417 Internet, please? 380 00:25:07,792 --> 00:25:08,959 Be a good guy. 381 00:25:19,501 --> 00:25:20,999 Here it is. 382 00:25:20,999 --> 00:25:21,999 Okay. 383 00:25:22,999 --> 00:25:25,999 We are doing the man in the middle again using different 384 00:25:25,999 --> 00:25:29,083 protocol, but we need, we wanted more. 385 00:25:29,709 --> 00:25:31,501 So this was the demo. 386 00:25:31,751 --> 00:25:38,959 The demo was that the client sent, the victim sent for WPAD record. 387 00:25:38,959 --> 00:25:42,999 Then we answer saying no, no, it is not an IPv4. 388 00:25:42,999 --> 00:25:43,999 It's IPv6. 389 00:25:43,999 --> 00:25:47,292 Then the victim asks again about the WPAD record, 390 00:25:47,292 --> 00:25:51,999 but in this case searching for IPv6 address. 391 00:25:51,999 --> 00:25:55,083 We confirm yes, this is the IPv6 of the Web proxy 392 00:25:55,083 --> 00:25:58,083 of the discovery server. 393 00:25:58,459 --> 00:26:02,167 Then victim connects to the Web server requesting 394 00:26:02,167 --> 00:26:07,751 the pack file with the information about the proxy. 395 00:26:08,250 --> 00:26:12,751 We sent that information with the IPv6 and the port 396 00:26:12,751 --> 00:26:19,999 in which Evil FOCA is listening and the rest is just capturing the data. 397 00:26:19,999 --> 00:26:21,667 So bonus level. 398 00:26:23,542 --> 00:26:26,999 What happened with https connection? 399 00:26:27,334 --> 00:26:29,999 Well, there are several options. 400 00:26:29,999 --> 00:26:33,999 First one is to do an SSL strip. 401 00:26:33,999 --> 00:26:37,999 The idea is that we analyze all HTML pages and remove the S 402 00:26:37,999 --> 00:26:39,999 of the links. 403 00:26:40,167 --> 00:26:45,292 The second one is to use a fake certificate and try to cheat 404 00:26:45,292 --> 00:26:51,375 the user to click on, okay, I accept this certificate. 405 00:26:51,626 --> 00:26:55,501 And the third one is to do a bridging https. 406 00:26:55,501 --> 00:26:59,999 That means that FOCA is connecting to the server using https. 407 00:27:00,792 --> 00:27:04,999 And the client is connecting to Evil FOCA using http. 408 00:27:05,292 --> 00:27:10,999 And if FOCA is doing SSL strip and bridging https so far, 409 00:27:10,999 --> 00:27:17,125 we have a special feature that is to remove the https links 410 00:27:17,125 --> 00:27:22,083 in Google results and also the Redit. 411 00:27:23,083 --> 00:27:24,959 Here are the results. 412 00:27:24,959 --> 00:27:30,626 We have Google and as you see, we try to open Gmail we have 413 00:27:30,626 --> 00:27:32,999 an http link. 414 00:27:32,999 --> 00:27:42,209 If we search for Facebook, we have the Facebook -- Facebook in Spanish, 415 00:27:42,209 --> 00:27:44,542 you know? 416 00:27:44,999 --> 00:27:46,959 Facebook in Spanish. 417 00:27:46,999 --> 00:27:49,999 And the link is an http. 418 00:27:49,999 --> 00:27:55,375 We only need to click on it and then go to Evil FOCA. 419 00:27:55,709 --> 00:27:58,292 And open Wireshark. 420 00:27:59,501 --> 00:28:02,626 Here it is. 421 00:28:04,667 --> 00:28:09,999 Open Wireshark. 422 00:28:09,999 --> 00:28:11,083 Capture interface. 423 00:28:11,876 --> 00:28:20,626 Start and we got all traffic here and we only need to go here and test. 424 00:28:21,626 --> 00:28:22,999 Oh. 425 00:28:23,999 --> 00:28:25,751 Come on. 426 00:28:26,751 --> 00:28:28,999 This is still loading. 427 00:28:32,375 --> 00:28:39,083 Open -- what is my password? 428 00:28:42,584 --> 00:28:46,292 (Laughter.) CHEMA ALONSO: Evil FOCA. 429 00:28:46,292 --> 00:28:47,292 Where is the enter? 430 00:28:48,999 --> 00:28:50,292 No! 431 00:28:50,417 --> 00:28:51,792 I don't remember. 432 00:28:51,999 --> 00:29:01,999 (Laughter.) CHEMA ALONSO: And if we go to the other part and we search 433 00:29:01,999 --> 00:29:10,999 for http request meth-op, request equal post, we got ... 434 00:29:13,501 --> 00:29:16,250 user and password of Facebook. 435 00:29:16,501 --> 00:29:27,125 Oh, here it is. 436 00:29:27,125 --> 00:29:30,167 (Applause.) CHEMA ALONSO: Well, it is man in the middle attacking -- 437 00:29:30,167 --> 00:29:33,834 in IPv4 network using IPv6 in the Spanish way. 438 00:29:33,959 --> 00:29:35,417 And this was the demo. 439 00:29:36,375 --> 00:29:42,083 In this tool we also added other different attacks just in case. 440 00:29:42,083 --> 00:29:46,083 Like denial of services in IPv6. 441 00:29:46,876 --> 00:29:49,709 Man in the middle attacks in IPv4. 442 00:29:49,709 --> 00:29:51,709 Denial of service in IPv6. 443 00:29:51,709 --> 00:29:52,709 DNS hijacking. 444 00:29:52,709 --> 00:29:55,083 We are going to add also to inject Javascript 445 00:29:55,083 --> 00:29:58,209 to create Javascript bond net. 446 00:29:58,417 --> 00:30:00,250 Remember last year's talk. 447 00:30:00,334 --> 00:30:02,584 And that's the conclusion. 448 00:30:02,584 --> 00:30:04,125 IPv6 is in your network. 449 00:30:04,125 --> 00:30:05,584 Configure it or kill it. 450 00:30:05,584 --> 00:30:06,999 It is not easy to kill it. 451 00:30:06,999 --> 00:30:13,959 IPv6, if you have security tools for IPv4, probably they are not working for IPv6. 452 00:30:13,959 --> 00:30:18,584 And right now there are a lot of security tools using IPv6, 453 00:30:18,584 --> 00:30:23,542 like Topella, which is scanning using IPv6, slow Lotus 454 00:30:23,542 --> 00:30:26,459 is immigrate to IPv6. 455 00:30:26,459 --> 00:30:31,626 We got several vulnerabilities in IPv6 products and so on. 456 00:30:31,876 --> 00:30:35,667 And I would like to give big thanks to the people 457 00:30:35,667 --> 00:30:39,999 behind the hacker choice because they did a very, very, 458 00:30:39,999 --> 00:30:43,209 very good job with IPv6 tools. 459 00:30:43,209 --> 00:30:47,042 If you got backtrack or colleague, use it because they have a lot 460 00:30:47,042 --> 00:30:49,042 of good tools. 461 00:30:49,042 --> 00:30:52,999 And even Scapy, it's wonderful to test all solutions. 462 00:30:53,626 --> 00:30:56,999 The last word is for Strip Fighter. 463 00:30:56,999 --> 00:31:00,999 Who in the hell designed the Spanish fighter, half bullfighter, 464 00:31:00,999 --> 00:31:04,167 half wolverine with hockey mask. 465 00:31:04,167 --> 00:31:05,918 It doesn't make sense at all. 466 00:31:08,250 --> 00:31:09,999 See you next year.