IPv6 Attack: An AD Attack
Overview
If both the IPv4 and IPv6 is turned on and if you are utilizing IPv4 then who’s doing DNS for IPv6, the simple answer is usually nobody.
Now we will setup an attacker machine that will listen to IPv6 and represent itself as a DNS for it.
When we reboot the machine then a machine that reboot will triggers an event that event comes through to us. We can use that machine to login to the Domain Controller and it does not have to be an admin or anything and we can get information, a lot of information out of just that we can potentially use that machine to create another machine.
We can wait for somebody to maybe login to the network or use their credentials somewhere and it will comes to us in the form of NTLM just like Responder, SMB relay.
We relay this, we do what’s called LDAP relaying. We LDAP relay over to the Domain Controller with this NTLM credentials, we log in if it’s a domain administrator to the domain controller.
Guess what, We created an account. It creates an account for us.
This tool we’re going to use is called Man in the Middle 6(MITM6).
This is one of the most Fun attack and still very undetected, very hard to detect and still very undetected, very hard to detect and still very prominent in network.
Setting Up LDAP
For this attack firstly we have to install mitm6 and setup the LDAPS.
So to setup LDAPS, we have to add one feature which is going to be a certificate.
We will go to Server Manager > Manage > Add Roles and features > Next till Server Roles > click on “Active Directory Certificate Services” and add that feature > next till confirmation > click on “Restart the destination server automatically” then hit install.
So now After the installation,
Now click on these according to numbers.
And then we will click next and then in Role Services, Check the Certification Authority.
Now we will click next till CA Name, and then in Validity period, change the years to 99 years.
Now we will click next till “Results” and then finally click on configure.
Now after completion, Reboot your server.
IPv6 DNS Takeover via mitm6
So to start this attack, we need few things.
Firstly we will start the mitm6.
Command: mitm6 -d <domain name>
Now we also have to setup a relay attack, now we will open another tab and run ntlmrelax.py to setup the relay attack.
Command: ntlmrelayx.py -6 -t ldap://<domain controller IP> -wh fakewpad.marvel.local -l lootme
-l is used for loot that means the dumped data.
-wh is used for wpad.
Now to fast this up, reset our windows 10 machine for occurring the event and then we’ll be getting results and it will start dumping data in loot directory. It will look something like this:
And we can see all the dumped information and when the user will enter the password to login in the windows 10 machine then it will let us login to the administrator.
and then it will start set up an access control list for us and then it will create a new user for us.
This is not only a single thing we can do with this attack, We can do a lot of stuff with this.
To learn more:
mitm6: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
Combining NTLM Relays and Kerberos Delegation: https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
Printer Hacking: https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack/
IPv6 Attack Defences
Mitigation Strategies:
- IPv6 poisoning abuses the fact that Windows queries for an IPv6 even in IPv4-only environments. If you don’t use IPv6 internally, the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy. Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to Block instead of Allow prevents the attack from working:
(Inbound) Core Networking — Dynamic Host configuration Protocol for IPv6(DHCPv6-in)
(Inbound) Core Networking — Router Advertisement (ICMPv6-In)
(Outbound) Core Networking — Dynamic Host configuration Protocol for IPv6(DHCPv6-Out)
2. If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service.
3. Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP channel binding.
4. Consider Administrative users to the Protected Users group or marking them as Account is sensitive and cannot be delegated, which will prevent any impersonation of that user via delegation.
