one person typing futuristic glowing computer generated by ai min scaled 1 1024x585 1

IPv6 Unveiled: Guarding Against DHCPv6 and WPAD Spoofing Cyber Threats

Demystifying IPv6

IPv6, or Internet Protocol version 6, is the next-gen solution designed to surpass IPv4’s constraints. Since Windows Vista, it’s been a default feature on devices. There are three ways a device can get its IPv6 address:

  • Stateless address autoconfiguration (SLAAC)
  • Stateful address autoconfiguration
  • Manual configuration

By default, devices use SLAAC.

Stateless Address Autoconfiguration (SLAAC)

SLAAC empowers a device to get its IPv6 address info without needing a DHCP server. It uses the Neighbor Discovery Protocol (NDP) to collect the required address details. Plus, the device can grab the DNS address for IPv6 from a DHCPv6 server.

Neighbor Discovery Protocol (NDP)

NDP lets devices on a local network find each other, much like the ARP protocol. This makes communication between devices on the local network a breeze. NDP is used for stateless auto-configuration, letting devices get an IPv6 address without a DHCP server.

ICMPv6

ICMPv6 (Internet Control Message Protocol version 6) is a communication protocol used in IPv6 networks for error reporting, communication between network devices, and other network management tasks. NDP uses ICMPv6 packets, which include:

  • Neighbor Solicitation (NS)
  • Neighbor Advertisement (NA)
  • Router Solicitation (RS)
  • Router Advertisement (RA)
  • Redirect

NS and NA Packets

NS packets help devices on a local network learn each other’s MAC addresses. An NS packet contains the MAC address of the sending device. In response, the receiving device sends its MAC address in an NA packet.

RS and RA Packets

RS packets help devices check for a router on the local network. If a router is present, it announces itself using RA packets, which contain network configuration info. This lets devices learn the network configuration for IPv6.

Note: Routers can send RA packets to devices without waiting for an RS packet.

Redirect Packets

Redirect packets help routers update a device’s routing info for the best path to a destination device.

Stateful Address Autoconfiguration

Stateful address autoconfiguration ensures devices use only the address info obtained from a DHCPv6 server, ignoring the configuration info in RA packets.

Manual Configuration

Manual configuration lets a user set a specific IPv6 address for a device.

DHCPv6 Spoofing Attack

In a DHCPv6 spoofing attack, the attacker sends a Router Advertisement (RA) packet every minute to the network via multicast. Here’s how the attack happens:

  1. The attacker sends an RA packet with M:1 and O:1 flag values to the victim, pretending to be a router. These flags tell the victim it needs to talk to a DHCPv6 server to get an IPv6 address and extra configuration info.
  2. The victim sends a DHCPv6 SOLICIT packet via multicast to find a DHCPv6 server.
  3. The attacker responds with a DHCPv6 ADVERTISE packet containing the victim’s proposed IPv6 address and DNS address. The attacker wants to set their own IPv6 address as the victim’s DNS address.
  4. The victim confirms the configuration info by sending a DHCPv6 REQUEST packet to the DHCPv6 server (attacker).
  5. Finally, the DHCPv6 server (attacker) gives the confirmed address info to the victim.

As a result, the attacker controls the victim’s DNS queries. This whole process can be automated using a tool called “mitm6”.

What is WPAD?

Web Proxy Auto-Discovery Protocol (WPAD) lets computers and other devices automatically find web proxy configurations. This lets devices on a network automatically use a proxy server, so there’s no need for manual proxy settings. By default, the WPAD server’s address is found through DNS queries.

On Windows computers, the “Automatically detect settings” feature is turned on by default in the proxy settings. Browsers use this feature to configure the proxy. If a client is part of a domain, it requests the PAC file, which contains proxy configuration info, from the WPAD server using the URI address “wpad.<domain_name>/wpad.dat”.

What is a Proxy Auto-Configuration (PAC) File?

A PAC file defines whether browser requests should be sent directly or via a proxy using JavaScript functions. The PAC file is also known as “wpad.dat” and is obtained through WPAD.

Example PAC File:

// url_example = wpad.company.com
function FindProxyForURL(url, host) {
  if (dnsDomainIs(host, ".company.com"))
    return "DIRECT";
  else
    return "PROXY myproxy.company.com:8080";
}

In the example above, any request outside of *.company.com will use “myproxy.company.com” as the proxy.

WPAD Spoofing

After doing a DHCPv6 spoofing attack, the attacker controls the victim’s DNS queries. When the victim requests the domain address containing the PAC file, the request reaches the attacker’s DNS server. The attacker can mess with the proxy configuration info in the PAC file to route the victim’s HTTP requests through their own IP address. Here’s how the attack works:

  1. The victim requests the PAC file.
  2. The attacker sends the PAC file to the victim, who uses it to define the proxy address.
  3. Any HTTP request made by the victim is sent to the attacker (acting as a proxy) before reaching the server.
  4. The attacker sends a 407 status code to the victim, saying that authentication is needed using the attacker’s specified authentication protocol.
  5. The victim completes the NTLM authentication process, sending the NTLM response value to the attacker.

Due to the Single Sign-On (SSO) mechanism, the authentication process happens in the background, and the NTLM response value is sent to the attacker. The steps described above can be done using the “mitm6” and “ntlmrelayx” tools together.

Similar Posts