I suggest you try to understand the actual production implementation of the attack, not just the theory.
You may want to take a look at the pcap files we posted. To review: 1. When a slaac attack is in place, the target systems still do respond to DHCP on IPv4 as normal. Because windows system prefer IPv6 routes over IPv4, any Windows system can be easily captured in this mitm attack. 2. SEMs, and other devices that are only configured to look at IPv4 wont see this parasitic IPv6 overlay. 3. If you place a rogue IPv4 DHCP server, you will have a bunch of DHCP conflicts as the two DHCP servers battle it out over clients, as well as a number of alerts on the client workstations and IP addressing errors. The slaac attack != planting another DHCP server on the network. 4. Many secure DMZ and systems on the SIPRNET have defenses in place for ARP spoofing. Example: one of the major responses from the heartland systems credit card breach was to implement ARP spoofing protections in PCI requirements. See: http://en.wikipedia.org/wiki/Albert_Gonzalez 5. The slaac attack works against systems protected against ARP spoofing. In summary, this is the next generation of mitm attacks, when arp spoofing is not available or is too detectable. We chose a bad title calling it a 0day, agreed. We should have just termed it an “implementation of known theoretical attack, etc.” _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
