sanskytech
🎩 Hack
Published on 13th of October 2024

IPv6 Attack With MITM6 & NTLMRELAYX

Paniz
Paniz HeidariPentester
cover
    Reading Time : 4 Min
    Description

    Learn how IPv6 attacks are executed using MITM6 and NTLMRelayx to exploit vulnerabilities in Active Directory environments, enabling Man-in-the-Middle (MITM) attacks and credential relays for privilege escalation and network compromise.

    What is an IPv6 Attack with MITM6?

    In the rapidly evolving digital landscape, cybersecurity threats are growing more sophisticated, especially with the adoption of Internet Protocol version 6 (IPv6). One alarming threat is the IPv6 attack, which exploits vulnerabilities in the Neighbor Discovery Protocol (NDP) to execute man-in-the-middle (MITM) attacks. These attacks can severely compromise network security by allowing attackers to intercept and manipulate traffic.

    The MITM6 tool is designed to exploit these weaknesses by impersonating legitimate network services. By tricking systems into believing they are communicating with a trusted DNS server, attackers can gain access to sensitive information such as user credentials and session tokens.

    This blog will delve into the mechanics of an IPv6 attack using MITM6, outlining the attack steps and providing practical guidance on setting up the tool. We’ll also explore the NTLMRelayx tool, which can use captured credentials to deepen network compromise. Understanding these techniques will empower penetration testers and cybersecurity professionals to defend against such attacks and enhance their network security posture.

    Understanding the Normal IPv6 Network Flow DHCP DNS and Domain Controller Interaction

    When a system connects to the network by plugging in a cable, it initiates a DHCP discovery process. The DHCP server responds by assigning an IP address and providing necessary configuration details, such as DNS information. If the system is part of a domain, it needs to communicate with the Domain Controller (DC) to send its NTLMv2 hash for authentication.

    However, the system does not have the IP address of the DC. Instead, it first queries the DNS server to obtain the DC’s IP address. To do this, the system must find the MAC address of the DNS server using the Neighbor Discovery Protocol (NDP) in IPv6. The system broadcasts a request asking, "Who has this IP? Please send your MAC address."

    In a normal scenario, the DNS server responds with its MAC address, allowing the system to proceed. The system then asks the DNS server for the IP address of the DC. Once the DNS server provides this information, the system can successfully send its NTLMv2 hash to the DC for authentication.

    The processes are illustrated in the image below.

    Now that we have a fundamental understanding of IPv6 communication between DHCP, DNS, and the client, let's delve into IPv6 attacks and explore the underlying mechanisms that occur during these malicious activities.

    Understanding the Process of IPv6 Attacks with MITM6

    When we connect a cable to the system, the system initiates a DHCP discovery. In response, the DHCP server sends the IP address and other configuration details to the system. If the system is part of the domain, it will attempt to send the NTLMv2 hash to the Domain Controller (DC). However, it does not have the IP address of the DC; instead, it only has the IP address of the DNS server.

    To obtain the DC's IP, the system must query the DNS. This process encounters a challenge because, in order to ask anything from the DNS, the system needs the MAC address of the DNS server. Using the Neighbor Discovery Protocol (NDP) in IPv6, the system finds the MAC address of the DNS server and sends a request asking, "Who has this IP? Send your MAC."

    Here’s where the attack begins: when MITM6, a tool launched by the attacker, running on the network, responds, claiming to be the DNS server. The system then asks for the IP address of the DC, to which MITM6 provides its own IP address instead.

    As a result, the NTLMv2 hash is captured by MITM6 and then sent to NTLMRelayx, another attacker tool. In this step, NTLMRelayx creates a user in the DC using the NTLMv2 hash it received.This sequence of events allows the attacker to gain unauthorized access to the network and escalate their privileges.

    Here is a concise overview of this attack:

    1. When a system connects to the network, it receives its configuration from the DHCP server, including DNS information.
    2. To communicate with the DNS server, the system needs the server's MAC address, which it requests using NDP.
    3. MITM6 intercepts this request and tricks the system into thinking it's the DNS server by providing its own MAC address.
    4. The system which mistakenly thinks that Attacker with MTIM6 is DNS , asks MITM6 for the Domain Controller's IP.
    5. MITM6 responds with its own information, allowing it to intercept network credentials (like NTLMv2 hashes).
    6. These credentials are relayed to NTLMRelayx, which can use them to create a user or perform other attacks on the Domain Controller.

    The step by step process is shown in the picture below.

    This process allows the attacker to hijack network communications, capture credentials, and escalate privileges within the domain. In the following section we will show how to perform this attack practically.

    Setting Up mitm6 Tool

    The first step for performing IPv6 Attack is setting up a tool called mitm6. This tool will intercept the NDP request and pretends to be DNS in this scenario. For setting up this tool we have to use the following command:

    BashMitm6
    sudo mitm6 -d penetrationlab.local

    Command Breakdown:

    1. sudo : This command is used to run mitm6 with elevated privileges, which is necessary for network packet manipulation.

    2. mitm6: The name of the tool we are executing.

    3. -d : This switch specifies the domain name. You must provide the domain name directly after this switch. In this example, we are using penetrationlab.local.

    By running this command, mitm6 will start intercepting NDP requests, allowing you to perform further analysis or attack scenarios in your penetration testing lab.

    Additionally, another essential tool called NTLMRelayx needs to be running to successfully execute the attack. The setup for this tool is explained in the following section.

    Setting Up NTLMRELAYX Tool

    BashNtlmrelayx
    impacket-ntlmrelayx -6 -t ldaps://192.168.1.116 -l dumpedinfo -wh fakewpad.penetrationlab.local

    Command Components:

    1. impacket-ntlmrelayx: This is the tool being executed. ntlmrelayx is a part of the Impacket suite, which is used for attacking and manipulating network protocols, specifically for NTLM relay attacks.

    2. -6: This flag specifies that the tool should use IPv6. It instructs ntlmrelayx to listen for incoming connections using IPv6 addresses.

    3. -t ldaps://192.168.1.116: The -t option defines the target address where the NTLM authentication request will be relayed. In this case, the target is an LDAP service running over SSL (LDAPS) at the IP address 192.168.1.116, which is also our DC.

    4. -l dumpedinfo: The -l option specifies the location where the captured NTLM authentication information will be logged. Here, the logged data will be saved in a file named dumpedinfo.

    5. -wh fakewpad.penetrationlab.local: This option sets the hostname that will be used in the NTLM relay attack. In this example, fakewpad.penetrationlab.local is the specified hostname, likely configured to trick clients into connecting to the attacker’s machine.

    Attack Result

    When any system within the domain is rebooted, or when an administrator's credentials are entered during a user login attempt, NTLMRelayx creates a directory named dumpedinfo in the user's home directory. This directory stores crucial information about the domain, including a list of users organized by their respective groups, as well as details about the operating systems in use and the group policies applied within the domain.

    The data collected can provide insights into the domain's structure and security configuration, making it valuable for penetration testing and security assessments. An example of the type of report generated can be seen in the figure below.

    Additionally, NTLMRelayx can create a user account in the Domain Controller (DC). This newly created user can be leveraged in subsequent attacks, allowing attackers to explore deeper into the domain and potentially escalate their privileges further. In this scenario, the username and password associated with the created account are displayed in the figure below, highlighting how attackers can establish a foothold within the domain and execute various strategies to compromise the network more effectively.

    In conclusion, understanding how IPv6 attacks like those carried out with MITM6 and NTLMRelayx work is crucial for strengthening network security. By exploiting vulnerabilities in the Neighbor Discovery Protocol, attackers can intercept sensitive data and gain unauthorized access to critical systems. Armed with this knowledge, cybersecurity professionals can better defend their networks by implementing proper security measures, such as disabling unnecessary IPv6 features and enforcing strong authentication mechanisms. Stay vigilant and continuously update your security practices to stay ahead of potential threats.