<aside> 📌 Summary
</aside>
IPv6 DNS takeover is a cyber attack exploiting unused IPv6 protocol, where an attacker hijacks the Domain Name System (DNS) resolution process. By intercepting DNS requests or spoofing responses, the attacker misdirects traffic to malicious servers. Those attacks are more reliable than the previous ones since their less often taken into account.
Now we need a tool to spoof an ipv6 DNS. In this way, we’ll use https://github.com/dirkjanm/mitm6 and ntlmrelayx. The first will spoof the DNS, while the second will dump data from the Domain Controller through LDAPS.
<aside> ⚠️ Do not let this run wildly during hours. This attack can cause a lot of trouble and even outages. Just let it run for a dozen minutes during interesting hours.
</aside>
First, let’s set up ntlmrelayx with the following parameters
-6 to specify the usage of IPv6-t since we’re targeting ORB-DC LDAPS server-wh we need to give a fake wpad-l the name of the folder where everything will be loottedntlmrelayx.py -6 -t ldaps://<domain-controller> -wh wpadfake.orb.local -l lootme
Then we can start mitm6 simply with the -d parameter to specify a domain :
sudo mitm6 -d orb.local # root mandatory
<aside> 💡 If the event is an administrator login, the software will even create a user with the access required to dump even more data :) (an nothing else…)
</aside>
Then we need an event to occur. For this, it could simply be a booting-up computer, as shown below:
This gives us a lot of information. For instance, we can see the description for the SQL Service, which is the SQL Service password. We can also look for the domain administrator to define our targets.
<aside> 💡 Sometimes, passwords in descriptions are just honey pots to detect intrusions.
</aside>