Unit4sec
mitm6 attacks
mitm6 attacks
01
mitm6
In this article, I aimed to explain practically how a man-in-the-middle attack can be executed using IPv6 within an Active Directory environment.
Before conducting the attack, there are certain aspects that need to be understood for the successful execution of the mitm6 attack. These include:
IPv6
Internet Protocol Version 6 (IPv6), briefly known as Internet Protocol version 6, was developed by the IETF (Internet Engineering Task Force) due to the inadequacy of IPv4, which originally had a 32-bit address structure, and started causing significant issues in addressing.
With the emergence of IoT (Internet of Things, known as Nesnelerin Interneti in Turkish), the IPv6 technology was developed, consisting of 128 bits, as it became evident that IPv4 would become insufficient in the future. I won't delve into the specifics of IPv6 here since there are already articles available on this topic. The main point here is that despite the active use of IPv4 worldwide, the security hardening aspects of IPv6 have been overlooked. IPv6 has been enabled by default in Windows operating systems since Vista. In this article, I practically addressed the mitm6 attack, which exploits the overlooked security hardening of IPv6, affecting its functionality.
unIt4sec
02
DHCP
The Dynamic Host Configuration Protocol (DHCP) is a service used to assign IP addresses and additional parameters to computers in a system. Simply put, DHCP's primary function is to prevent system administrators from manually entering the same or similar parameters for each machine individually, saving time and simplifying the job of the system administrator.
In simple terms, the system that automatically assigns IP addresses to devices connected to a network is called DHCP. I won't delve into the details of the DHCP protocol as it's not the focus of this article.
LDAP
The Lightweight Directory Access Protocol (LDAP) is an application layer protocol used for querying and modifying index services operating on TCP/IP. The LDAP protocol is message-oriented, meaning that a client generates an LDAP message containing a request, sends the message to the server, the server processes the request, and responds to the client with one or more LDAP messages. LDAP was designed to establish a fast, scalable, and manageable network infrastructure to ensure rapid and continuous access to information for all users. An automatic IP assignment system using LDAP records is employed to automatically configure IP (Internet Protocol) address settings on a network where computers are extensively used.
WPAD
Web Proxy Auto-Discovery (WPAD) is a protocol that enables automatic proxy detection in Windows operating systems. It was introduced by Microsoft in 1999. Simply put, its functionality revolves around this principle: immediately after connecting to a network on Windows operating systems, it attempts to locate a proxy server within the network. It is active by default in Windows operating systems.
unIt4sec
03
NTLM Relaying
The NTLM Relay attack involves an attacker connecting to the desired server/computer by utilizing the LLMNR poisoning technique to exploit the user's information, effectively employing a form of the man-in-the-middle technique. Illustrating this attack can help in understanding its mechanics.
unIt4sec
04
mitm6 attack
The relevant topics and protocols mentioned above have been extensively covered in numerous articles and writings, hence to avoid redundancy, I included excerpts in my writing to highlight specific points. I aimed to explain these topics in order to comprehensively understand the mitm6 attack without leaving any lingering questions.
How?
When a computer with a Windows operating system boots up, it starts searching for a DHCPv6 server in the network to acquire an IPv6 address. Upon obtaining an IP and connecting to the network, it then seeks a proxy server using WPAD (Web Proxy Auto-Discovery). At this stage, we, as attackers, respond to the computer's DNS queries pretending to be the proxy server. Once the process completes successfully, the computer perceives and connects to the server we control as the designated proxy server. Consequently, the computer sends us the NTLM hash for authentication to the proxy server. Using this hash, we can perform an NTLM relay attack, enabling us to execute LDAP commands on the domain controller server with the privileges of the user whose NTLM hash we intercepted.
unIt4sec
05
1
The attacker sets up a fake DHCPv6 server to conduct a man-in-the-middle attack over IPv6, and the victim acquires an IP from this fraudulent DHCPv6 server.
2
The victim sends DNS requests to search for a proxy server using the WPAD protocol. The attacker responds to these DNS requests, claiming to be the proxy server. Consequently, when the victim's computer attempts to connect to the proxy server, it needs to authenticate its identity. It's important to note here that if an IP is acquired via IPv6, DNS requests are primarily made using IPv6 DNS servers, superseding IPv4 DNS servers. As a result, technically, we perform a DNS takeover because the DNS requests come to us.
3
He hashed (NTLM) authentication credentials from the victim are captured and transmitted to the DC (Domain Controller) server via the LDAPS protocol.
4
Subsequent actions depend on the user rights of the victim. If the victim is a highly privileged user, our task becomes easier, but this is less likely. Typically, the number of users added to the "Domain Admins" group on networks is limited, around 3 to 5 users. The likelihood of one of them logging in and becoming our victim is low. If our victim has standard user privileges, the actions we can take include extracting the schema of the Active Directory system and adding a computer to the Active Directory system.
unIt4sec
06
Attack similuation:
Used Tools:
Let's start listening to the network with ntlmrelayx and mitm6 scripts.
unIt4sec
07
Commands that ntlmrelayx.py script can send via ldap
Groups corki is added to: before and after the attack
unIt4sec
08
User added in the attack
2.What can be done when a user in the standard user group logs in. What can be done in this case and how to upgrade rights with the added computer are not explained here, as it is not the subject of this article.
Adding a computer to the Active Directory system when the user "ashe", who is in the standard user group, logs in.
unIt4sec
09
Improvement suggestions
1
Not using IPv6 on end user computers. (Doing this on servers may cause problems. It is not recommended to do it on servers.)
2
If there is an internal proxy server in your network, it may be useful to connect all servers and computers to the proxy server and configure it in another way, instead of automatically detecting it and using WPAD.
References:
https://tr.wikipedia.org/wiki/IPv6
https://tr.wikipedia.org/wiki/DHCP
https://tr.wikipedia.org/wiki/LDAP
https://ahmtcnn.medium.com/llmnr-poisoning-ntlm-relay-ve-daha-fazlas%C4%B1-bd722d99a9da (ntlm relay için iyi bir kaynak)
https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
https://chryzsh.github.io/relaying-delegation/ (en sevdiğim)
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
Görkem Koç