IPv6

IPv6 is a network protocol that serves as the successor to IPv4, developed to address the limitations of IPv4, such as address space and security. Since IPv6 is meant to replace IPv4 eventually, most computers are configured by default to favor using IPv6 over IPv4, which was aimed at making the transition to an IPv6 world seamless.

An attacker can exploit IPv6 in a DCHP Active Directory environment because most organizations don't actively use IPv6. By advertising a computer a DHCPv6 server, computers on the network that need an IP or IP refresh will see that a DHCPv6 server is available and obtain an IP from it instead of the legitimate DHCPv4 server.

Furthermore, the attacker can advertise the computer as a DNSv6 server, so computers that were assigned an IPv6 address will also go to the attacker's computer for name resolution. The attacker can then route the computers in such a way where the attacker is effectively the Adversary-in-The-Middle.

Exploit

GitHub - dirkjanm/mitm6: pwning IPv4 via IPv6GitHub

Linux (Attacker)

mitm6 -i eth0 -d [domain]

As the tool's Readme.md says, mitm6 can be used to poison IPv6 and be used with impacket-ntlmrelayx from the impacket suite for SMB relaying.

mitm6 does not advertise itself as a gateway, so poisoned hosts will not attempt to communicate with IPv6 hosts outside their VLAN.

mitm6 – compromising IPv4 networks via IPv6Fox-IT International blog

PreviousNBT-NS/LLMNR/MDNS NextSMB Relay

Last updated 1 year ago