Antisyphon KB

mitm6

Nov 04, 20242 min read

Getting Started

apt update
apt install python3-virtualenv

Note on virtualenv usage:

  • these containers are used to allow conflicting dependency installs to live side by side harmoniously
  • activate / deactivate dependency containers for proper usage
  • with screen/tmux, multiple dependency containers can be activated at the same time

mitm6

Overview: This tool will advertise and respond to IPv6 solicitations on the local network segment. This can result in adjacent systems using the implant (node, host, linux box, whatever) as its preferred DNS resolver (v6 is preferred by default over v4). The implant can then hijack authentication material and when combined with NTLMRelayx can result in domain privilege escalation.

Tool located here

Installation

cd /opt/
git clone https://github.com/dirkjanm/mitm6.git
cd mitm6
virtualenv -p python3 mitm-env
source mitm-env/bin/activate
python3 -m pip install -r requirements.txt
python3 setup.py install
deactivate
cd /opt/

Possible Blurb: As part of the internal penetration testing, the tester also attempted of series of IPv6 hijack attacks. The first stage of this attack required the attacker to run the following command, which was intended to respond to DHCPv6 queries and perform a router advertisement (RA).

mitm6 -d domain.tld

The next step in this attack is to spoof DNS requests to these systems. The next screenshot demonstrated a short exchange between two servers and the attacker’s system. The systems are requesting name resolution for various internal systems over IPv6. This allowed BHIS to spoof replies and trigger direct responses from those internal systems.

The third step in this attack is to relay the responses received by the attacker’s system toward a system or service with other potential. This attack was staged several different ways throughout the internal penetration test and as shown below, was intended to relay credential material toward the secure LDAP service listening on the domain controller at dc01. In the event of a successful relay, the attacker would then gain access to a newly delegated object in Active Directory.

Graph View

Backlinks

  • No backlinks found