IPv6, we have all seen it, have been forced through subnetting it (Network Engineers, I’m looking at you), but many organizations seem to just not utilize it. While frequently staring into the monotonous output that ipconfig provides, IPv6 sits in the cold corner dreaming of days with higher adoption rates. Have no fear, us Pentesters and Red teamers alike are more than happy to bring you to the dark side of IPv6 DNS Hijacking.
A little tool named mitm6 developed by Fox-IT works with our tried and true responder, ntlmrelayx, smbserver, and snarf among a few to name. This works due to systems prioritizing available IPv6 network connections allowing the exploitation of the default configuration of Windows to take over the default DNS server. Mitm6 replies to DHCPv6 messages and will provide victims with a local IPv6 address to set the attacker as the default DNS server.
When researching this topic, you will notice that information has been in circulation for years, however the awareness of such attacks to IT and Security teams has not been acted upon as we see in pentests we perform over and over! At Intrinium, and within our pentests, we believe a practical defense requires a holistic approach that takes into account both users and security policies to proactively monitor and defend.
The game plan:
Below you will find a list of useful tools that work hand in hand with mitm6, this will allow mitm6 to relay the DNS hijacked hosts to which ever tool meets your needs. For demonstration purposes I will be using Impacket’s smbserver.py which will create a fake share named “tools” under the path of “<attacker ip>/examples” of my attacking host. Mitm6 will relay my vulnerable hosts SMB request to this share, allowing it to authenticate, and grab its hash. For simplicities sake, I disable SMB signing while enabling the use of SMBv1.
- Download and Installation: https://github.com/fox-it/mitm6
- Ntlmrelayx can be used to relay credentials to systems that do not have SMB signing enforced. Ntlmrelayx also stands up an HTTP and SMB server. Any systems that attempt to access the SMB service running on your system (likely to happen as a result of mitm6), they are going to authenticate to ntlmrelayx, which will then relay this authentication attempt to a target of your choice.
- Download and installation: https://github.com/SecureAuthCorp/impacket
*Please note that unless the relay is successful you will not have a log of the hash intercepted. There is a fork of ntlmrelayx that has logging feature included.
- Download and Installation: https://github.com/Samwong156/impacket-ntlmv1-2-Logging
- Responder is a tool developed by SpiderLabs to monitor the local network for NetBIOS Name Service (NBNS) and Link-Local Multicast Name Resolution (LLMNR) requests. Upon detecting this traffic, it sends spoofed replies to trick the system into communicating with the system running Responder.
In addition to this, it also comes with a list of services that it can impersonate, such as Microsoft SQL (MSSQL), HTTP, LDAP, SMB, etc. So, any time someone tries to connect to these services on your system, they are essentially going to be interacting with Responder.
Using mitm6 + Responder, you are essentially spoofing all (or specific) DNS requests, which will result in those systems landing in the hands of Responder. You can run Responder alongside mitm6 by using some of the default options as you usually would, such as Responder -I eth1
- Download and Installation: https://github.com/SpiderLabs/Responder
- The python script takes care of all the configurations for you, binds to 445, and accepts any authentication. It will even print out the hashed challenge responses for any system that connects to it.
- Download and installation: https://github.com/SecureAuthCorp/impacket” target=”_blank”>https://github.com/SecureAuthCorp/impacket”>https://github.com/SecureAuthCorp/impacket
- Snarf, written by Joshua Stone and Victor Mata, is an SMB relay tool that actually leaves an SMB relay session open for further use as opposed to simply running a command and destroying the relay session. When combined with mitm6, this tool can be extremely powerful. The ability to continue using relayed session without requiring re-authentication from the client gives you a lot of options.
- Download and Installation: https://github.com/purpleteam/snarf
Phases of the Attack:
Step 1: Launching mitm6
When launching mitm6, replace eth0 with whichever interface you are using. Be warned this will initiate a DNS takeover for approximately 300 seconds, 5 minutes, potentially disrupting people being able to access services.
Run “mitm6 -i eth0” to launch mitm6 in unfiltered mode, however if you are working within a live environment you can add the -d flag to filter on the domain name i.e. “mitm6 -I eth0 -d test.local”. This way you are not catching everything and the kitchen sink.
After the attack is completed, a new DNS server with our IPv6 address will appear on the attacked workstation.
Step 2: Intercept with program of choice
In this case I went for simplicity and utilized Impacket’s smbserver.py. Mitm6 redirected the user to my attacking lab machine’s SMB share and logged the hash.
Utilizing other tools such as ntlmrelayx instead, we could have gained an administrative shell on this machine, or, if lucky enough, relayed it directly to Active Directory for user creation or a hash dump. In this instance however, it leaves us time to churn away and decrypt this hash, gaining access to the users credentials.
How to Protect yourself:
While SMB relay attacks can simply be thwarted by enabling SMB signing, and exercising user security policies in regard to limiting the use of local admin, IPv6 DNS attack are a bit trickier.
You “can” disable/block IPv6 or DHCPv6 respectively in your environment, however this can potentially have unforeseen consequences with impacting your services or just being impracticable if IPv6 is in use. Enforcing strong password policies, disabling AD account delegation, and rogue device detection will go a long way for a strong defense. Below are a few methods that can aid in proactively mitigating the exposure:
- Fox-IT created signatures for Snort and Suricata that detect Rogue DHCPv6 traffic and WPAD injection: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6
With IPv6 being a default Windows feature on modern hosts, it is easy to see how an unsuspecting organization may fall prey to its exploitation. Gaining access to hashes would allow an attacker to target Active directory, gain access to systems, or perhaps simply decrypt the hash offline for further pivoting into the network. It is therefore important to emphasize a holistic pentesting and security approach that limits the privileges of its users, increases the complexity and size of passwords, improve network security and monitoring, and most importantly bring the awareness to security teams.
mitm6 – Compromising Ipv4 Networks Via Ipv6
Taking Over Ipv6 Networks
Alton Johnson – https://blog.vonahi.io/taking-over-ipv6-networks
Using Ipv6 To Bypass Security
Domain Attacks. Getting an Account
SystemAdminsPro – https://systemadminspro.com/domain-attacks-getting-an-account