IPv6 Attack In Action
DNS Takeover
Now we learn about the IPv6 attack let's see it in action.
Tools
MITM6NTLMrelayx
Starting MITM6 server
Where:
mitm6is the tool name-dis used to specify the target domain name.
The above command will start the IPv6 Router and advertise itself on example-domain.loc and listen for connections and send him spoofed replies. Besides this, we must start the ntlmrelayx server simultaneously with mitm6 using the following command.
Other Syntax
Where:
-i eth0: is used to specify the network interface to listen in that case it'seth0.-hw: is used to specify white listed Host, This option is used to capture only requests for mentioned Host.
Starting NTLMrelayx Server
Where:
-6: This flag indicates that the attack should be performed using IPv6.-t ldaps://192.168.100.1: This specifies the target server for the relay attack. In this case, the target server192.168.100.1is the domain controller IP address and the LDAPS protocol (LDAP over SSL/TLS) is used.-wh fakewpad.example-domain.loc: This specifies the fake WPAD (Web Proxy Auto-Discovery) server hostname.-l loot: This flag specifies the directory where the loot (collected data) from the attack will be stored. In this case, thelootdirectory is used.
Other Syntax
Where:
--delegate-access: This option enables the attacker to delegate the user's credentials to other services or servers if they are configured to accept delegation. Delegation allows the attacker to gain access to additional systems using the compromised user's credentials.--no-smb-server: This option disables the built-in SMB server functionality ofntlmrelayx.py. In other words, the tool will not create a fake SMB server to handle relayed SMB connections. This can be useful in certain scenarios where the attacker does not need SMB services but is primarily interested in other protocols such as LDAP.-wh: This option specifies the host to impersonate for the WPAD (Web Proxy Auto-Discovery) attack. In this case, the attacker is impersonating the hostfakewpad.example-domain.loc, which is a fake WPAD server that can be used to trick clients into sending their proxy configuration requests to the attacker.
Both commands demonstrate different variations of using the ntlmrelayx.py tool for NTLM relay attacks, either with IPv6, specific options for LDAPS, WPAD impersonation, and storing loot or with delegation access and disabling SMB server functionality.
Starting both mitm6 and ntlmrelayx servers simultaneously you are ready to intercept the request coming from the target system. Now it's just a matter of time before the target system gets the spoofed replies and becomes a victim of this attack.
The thing I should mention is that we can use the following protocols in the -t options in the ntlmrelayx. Choosing any of them solely depends on the system we are attacking and what kind of services they are running. Following are the commonly used protocol in NTLM relay attacks.
ldap://: This protocol is used for unencrypted LDAP connections.ldaps://: This protocol is used for LDAP connections over SSL/TLS encryption.http://orhttps://: These protocols are used for HTTP or HTTPS connections.rpc://: This protocol is used for Remote Procedure Call (RPC) connections.
It's important to note that using encrypted protocols like LDAPS or HTTPS may require additional configuration and certificates for successful relay attacks. The smb:// protocol cannot be used directly in the ntlmrelayx.py command for NTLM relay attacks. The ntlmrelayx.py tool is primarily designed for relaying authentication requests to other protocols such as LDAP, HTTP, or HTTPS.
However, it's worth noting that the SMB protocol itself can be exploited in various ways, including SMB Relay attacks, which are different from NTLM relay attacks as we already discussed previously. Although they use the ntlmrelayx tool they have different parameters.
Read More
Last updated