IPV6 DNS takeover

This attack takes advantage of machines utilizing IPv4 while still having IPv6 active in their network adapter properties. When a machine is configured in this way, one question comes to mind. Who is the DNS for IPv6? Most of the time, nobody.

With this misconfiguration, an attacker can listen for any incoming IPv6 traffic, declaring themselves as the DNS for IPv6. Through this process, an attacker can gain authentication to the Domain Controller with LDAP (Lightweight Directory Access Protocol) or SMB (Server Message Block).

After an event occurs on the target network, normally a machine rebooting or starting-up for the day, it goes to the attacker. The attacker can now use said event to authenticate to the Domain Controller. This can all be done on a non-administrative user account.

The attacker can then wait for credentials to be used on the target network, being provided said credentials by leveraging NTLM (Windows New Technology Lan Manager).

The attacker can now LDAP relay the user credentials to the Domain Controller and login if the relayed credentials are that of a domain administrator. This now allows the attacker to create an account on the Domain Controller.

Steps (run for small sprints (5-10 mins only/ otherwise you can get outages)

  1. Run ntlmrelayx

  2. Run mitm6

  3. On any even, we get an event (restart/login) which will be relayed

  4. If an administrator logs in, it tries to create a new user account, which we can use to perform DC sync attack.

1. ntlmrelayx

impacket-ntlmrelayx -6 -t ldaps://192.168.138.136 -wh fakewpad.marvel.local -l lootme
Flag / Parameter
Meaning

impacket-ntlmrelayx

The Impacket tool used to relay NTLM authentication.

-6

Enables IPv6 support. This is crucial for IPv6 DNS takeover attacks.

-t ldaps://192.168.138.136

Target for the relay — in this case, a LDAPS (LDAP over SSL) server at the given IP.

-wh fakewpad.marvel.local

WPAD (Web Proxy Auto-Discovery Protocol) hostname to inject into the victim’s system or used for poisoning (fake proxy server).

-l lootm

Directory where loot (dumped hashes, credentials, etc.) will be saved.

🧠 What This Setup Is Doing:

  • Listens for NTLM authentication over IPv6.

  • Relays the authentication to the LDAPS server at 192.168.138.136.

  • Uses fake WPAD (fakewpad.marvel.local) to trick clients into sending NTLM auth.

  • Stores captured credentials or data in the lootm directory.

This is part of a WPAD + NTLM relay over IPv6 attack, commonly used in enterprise environments with misconfigured DNS or IPv6-enabled clients.

2. mitm6

Installation

sudo apt install mitm6

Launch mitm6

sudo mitm6 -d marvel.local

3. Force event (restart)

Like restart or login .and we will get a success message.

and we will have information regarding computers, groups, users etc. It has enumerated everything

DC sync attack

If an admin logs in some computer, it auto adds a user that can be used to perform DC sync attack. The newly added user will have enterprise admin access. (not working for me)

Last updated