Researchers release tool to pickup the SLAAC in Man-In-The-Middle attacks using IPv6

A group of researchers from Neohapsis Labs released a tool last weekend during DEF CON that drops the time needed for a Man-in-the-Middle attack using IPv6 (SLAAC Attack), from hours down to minutes or less.

SLAAC, or Stateless Address Auto Configuration, is required on all IPv6 stack implementations. It’s a mechanism, which allows a host to generate their own IPv6 addresses, even if routable addresses are assigned or pre-configured. This offers the host a unique, routable address on the network in the absence of DHCPv6. The concept of a SLAAC Attack was initially described in 2011, in RFC 6104, and was mostly found on wireless environments, but wired networks had issues too.

Not too long after RFC 6104 was drafted, InfoSec Institute researcher Alec Waters outlined how to carry out Man-in-the-Middle (MITM) attacks via the problems with SLAAC, which gained some attention in both the media and the security community. The problem was that Waters’ method didn’t work for some, or took several hours the first time through to set-up an attack, in addition to various bits of configuration that caused some trouble for people attempting to mirror his work.

When it comes to scope, SLAAC Attacks work on Windows Vista and Windows 7, out of the box. However, Windows XP is exempt due to its lack of IPv6 support. Windows 8 wasn’t available at the time SLAAC became public, but researchers at Neohapsis Labs have worked out how to target Microsoft’s latest OS, and they have simplified the SLAAC Attack with a new tool called Sudden Six.

At DEF CON last week, after their presentation on the topic, Neohapsis Labs released the Sudden Six tool publically. It automates the SLAAC Attack process initially described by Waters, and was primarily designed for pen testers. The tool also requires less prep-work and configuration, and works faster than the previous method.

In an email to CSO, Scott Behrens, head of Neohapsis Labs, and one of the presenters at DEF CON, said that attackers could easily weaponize an attack on a system using SLAAC, enabling them with a high degree of visibility and control.

“They could pretend to be an IPv6 router on your network and see all your web traffic, including data being sent to and from your machine. Even more lethal, the attacker could modify web pages to launch client-side attacks, meaning they could create fake websites that look like the ones you are trying to access, but send all data you enter back to [them],” he explained.

“One caveat to note is the attacker needs to be conducting the attack from inside your network. Although, with the prevalence of social engineering attacks, and drive by malware, this circumstance is all too common.”

When Waters published his instructions; the advice at the time with regard to defense against SLAAC Attacks was to disable IPv6 “on all capable hosts if theres no business reason to use it.”

The issue many took with this advice was that it didn’t address the problem, and then there’s the fact that IPv6 is a way of life for many enterprise operations. However, Waters’ research on SLACC proved that organizations can’t ignore IPv6, as it exposed a layer of risk to the network each time a new host was deployed with the latest Microsoft OS.

“The most extreme way to mitigate the attack is to disable IPv6 on client machines,” Behrens said.

“Unfortunately, this would hinder IPv6 adoption. Instead, we would like to see more IPv6 networks being deployed, along with the defenses described in RFC 6105 and the Cisco First Hop Security Implementation Guide. This includes using features such as RA Guard, which allows administrators to configure a trusted switch port that will accept IPv6 Router Advertisement packets, indicating the legitimate IPv6 router.”