Question/Clarification #6
Replies: 1 comment 1 reply
-
|
Hi, thanks for testing the new attack mode and sorry for the late reply. In my testing, I could not reproduce that hosts generate a new IPv6 in response to the router advertisements. A router advertisement can have multiple options, such as the DNS option that is added in the stateless DNS takeover attack. Another option is the prefix options in which an IPv6 prefix is specified such that the hosts can auto-generate an IPv6 address for this prefix. However, Are you sure that you are not referring to the link-local IPv6 address that is generated by Windows by default for each interface without |
Beta Was this translation helpful? Give feedback.
-
|
Positive its not a link-local address, prefix is 2601. I've continued to dig into this deeper and seems to only be an issue (potentially) when the router has an IPv6 address assigned on one of its interfaces. I was testing this on my home network first and I do have a public IPv6 address from my provider. When testing in a segmented network without that router in the mix it does appear that only link-local addresses are provisioned. That being said, I appreciate the response and apologize for the potential false alarm as it seems like the behavior I saw is only occurs under specific conditions that are far less likely to be seen in a corporate environment. |
Beta Was this translation helpful? Give feedback.
-
I want to say first and foremost this is a clever alternate method for poisoning IPv6 and provide Kudos for developing it.
I read through the information provided in your Github about the stateless DNS attack and also reviewed the RFC. Afterwards did some initial testing myself to get familiar with how this works before using it on a real production environment. Im looking for a bit of clarification specifically around:
"The stateless DNS takeover has the advantage that the DNS server configuration is actively pushed out via RA instead of pulled via DHCPv6 by the clients. Another advantage is that pretender does not need to assign IPv6 addresses (when hybrid mode is disabled) and thus leaves less of a footprint. Finally, the DNS server is immediately removed from the clients as soon as they receive the de-advertisement that is sent when pretender is stopped.".
During my initial testing, i would say that this statement is a bit misleading. You may not be provisioning IPv6 addresses directly from your tool, but you are triggering hosts to assign themselves IPv6 addressing through stateless auto-config. Have you tested this on a live production network? Im curious and concerned about impact to network devices that may support IPv6 stateless auto-config and how this will impact them and the network as a whole.
Also, while this is true that the DNS server is removed, the IPv6 addresses that the devices assign to themselves do not disappear when that router de-advertisement is issued and still leaves a residual footprint. In fact it appears (at least in my test environment consisting of Windows 2016 and Windows 10 virtual machines) that hosts continue to renew their stateless auto-config assigned IPv6 addresses long after the tool has stopped.
Am I missing some parameters or configuration items in the tool to restrict this behavior?
Thanks,
Beta Was this translation helpful? Give feedback.
All reactions