Researchers release tool to pickup the SLAAC in Man-In-The-Middle attacks using IPv6

A group of researchers from Neohapsis Labs released a tool last weekend during DEF CON that drops the time needed for a Man-in-the-Middle attack using IPv6 (SLAAC Attack), from hours down to minutes or less.

SLAAC, or Stateless Address Auto Configuration, is required on all IPv6 stack implementations. It's a mechanism, which allows a host to generate their own IPv6 addresses, even if routable addresses are assigned or pre-configured. This offers the host a unique, routable address on the network in the absence of DHCPv6. The concept of a SLAAC Attack was initially described in 2011, in RFC 6104, and was mostly found on wireless environments, but wired networks had issues too.

Not too long after RFC 6104 was drafted, InfoSec Institute researcher Alec Waters outlined how to carry out Man-in-the-Middle (MITM) attacks via the problems with SLAAC, which gained some attention in both the media and the security community. The problem was that Waters' method didn't work for some, or took several hours the first time through to set-up an attack, in addition to various bits of configuration that caused some trouble for people attempting to mirror his work.

When it comes to scope, SLAAC Attacks work on Windows Vista and Windows 7, out of the box. However, Windows XP is exempt due to its lack of IPv6 support. Windows 8 wasn't available at the time SLAAC became public, but researchers at Neohapsis Labs have worked out how to target Microsoft's latest OS, and they have simplified the SLAAC Attack with a new tool called Sudden Six.

At DEF CON last week, after their presentation on the topic, Neohapsis Labs released the Sudden Six tool publically. It automates the SLAAC Attack process initially described by Waters, and was primarily designed for pen testers. The tool also requires less prep-work and configuration, and works faster than the previous method.

In an email to CSO, Scott Behrens, head of Neohapsis Labs, and one of the presenters at DEF CON, said that attackers could easily weaponize an attack on a system using SLAAC, enabling them with a high degree of visibility and control.

"They could pretend to be an IPv6 router on your network and see all your web traffic, including data being sent to and from your machine. Even more lethal, the attacker could modify web pages to launch client-side attacks, meaning they could create fake websites that look like the ones you are trying to access, but send all data you enter back to [them]," he explained.

"One caveat to note is the attacker needs to be conducting the attack from inside your network. Although, with the prevalence of social engineering attacks, and drive by malware, this circumstance is all too common."

When Waters published his instructions; the advice at the time with regard to defense against SLAAC Attacks was to disable IPv6 "on all capable hosts if theres no business reason to use it."

The issue many took with this advice was that it didn't address the problem, and then there's the fact that IPv6 is a way of life for many enterprise operations. However, Waters' research on SLACC proved that organizations can't ignore IPv6, as it exposed a layer of risk to the network each time a new host was deployed with the latest Microsoft OS.

"The most extreme way to mitigate the attack is to disable IPv6 on client machines," Behrens said.

"Unfortunately, this would hinder IPv6 adoption. Instead, we would like to see more IPv6 networks being deployed, along with the defenses described in RFC 6105 and the Cisco First Hop Security Implementation Guide. This includes using features such as RA Guard, which allows administrators to configure a trusted switch port that will accept IPv6 Router Advertisement packets, indicating the legitimate IPv6 router."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags man-in-the-middle attackSLAAC AttackinfosecapplicationsNeohapsis LabssoftwareDEF CON 2013data protectionipv6

More about CiscoCSOMicrosoftNeohapsisScott CorporationWaters Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts