After I posted about gohpts - IPv4/IPv6/TCP/UDP transparent proxy with ARP/NDP/RDNSS spoofing some of the tools (particularly ndpspoof) sparked some interest from community. But I realized that this tool itself is not user-friendly enough to use because it does not work out-of-the-box due to the lack of any system configuraton. So I added special -auto flag to do just that and now when your run CLI application it actually does something!
What it does is sets the following kernel parameters and network settings:
```bash
make interface accept all packets not just those addresses directly to it
ip link set dev <iface> promisc on
enable packet forwarding
sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1
prevent conflicts with fake RA
sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.all.accept_redirects=0
various optimizations
sysctl -w fs.file-max=100000 sysctl -w net.core.somaxconn=65535 sysctl -w net.core.netdev_max_backlog=65536 sysctl -w net.ipv4.tcp_fin_timeout=15 sysctl -w net.ipv4.tcp_tw_reuse=1 sysctl -w net.ipv4.tcp_max_tw_buckets=65536 sysctl -w net.ipv4.tcp_window_scaling=1
iptables setup to make host act as a router
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type redirect -j DROP ip6tables -A OUTPUT -p ipv6-icmp --icmpv6-type redirect -j DROP ip6tables -A FORWARD -i <iface> -j ACCEPT ip6tables -t nat -A POSTROUTING -o <iface> -j MASQUERADE ```
This guide Legless: IPv6 Security was very helpful in explaining what and why should be set for things to work.
With -auto flag enabled the tool by default spins a DNS server that forwards packets to real router (or Google DNS as fallback) but that can be disabled by specifying -rdnss option and -dns-servers with custom DNS.
Links:
[link] [comments]
from hacking: security in practice https://ift.tt/e3Pja6Z
Comments
Post a Comment