Active Directory: Initial Attack Vector — DNS Takeover via IPv6 Attack and Defense
Today we will learn how to perform DNS Takeover via IPv6 attack against the AD environment. I am using 4 VMs.
- Windows Server 2019 :- IP Address: 10.20.30.40
- Windows 10 Pro:- IP Address: 10.20.30.49
- Windows 10 Pro:- IP Address: 10.20.30.42
- Kali Linux 2022.2:- IP Address: 10.20.30.43
How and Why does it work?
IPv6 has been enabled by default since Windows Vista yet most organizations have done little to nothing to secure it.
If we think about a machine running on a Windows network we typically run on IPv4, chances are the network is not even utilizing IPv6 but it’s turned on by default in our network adapter properties.
The attacker acts as an IPv6 router responding to configuration request from our victim and assign it with an IPv6 address and an IPv6 DNS server. This DNS server is preferred over IPv4 DNS server, hence any DNS requests coming from victim can be exploited for our advantage. One of those requests is WPAD configuration. Which we exploit for our advantage.
Install the LDAPS Certificate on server
To utilize this attack fully we have to add a Certificate Manager to our Domain Controller.
Installing Certificate Services
Configuring Certificate Services
Reboot this Server.
IPv6 DNS Takeover via mitm6
In order to accomplish this attack we need following set of tools.
mitm6: This will act as IPv6 Router during the attack.
ntlmrelayx.py: This will capture the credentials and relay them to target machine. I am using Impacket v0.9.19.
We start with mitm6 on our interface filtering for marvel.local domain.
mitm6 -d marvel.local -d -> Domain
As shown below one can clearly see the DNS server on our victims machine before we start mitm6 tool and after.
Now we will launch ntlmrelayx.py
ntlmrelayx.py -6 -t ldaps://10.20.30.40 -wh fakewpad.marvel.local -l lootme -------------------------------HELP---------------------------------6 -> listens on both IPv4 and IPv6 -t -> Target (Domain Controller) -wh -> specify the host that the WPAD file resides on, any non- existing hostname in the victim network will do. -l -> loot directory name
It’s going to take some time so we are going to restart our machine and log in as an Administrator to speed this along.
As shown above once the authentication against the DC succeed, it goes ahead with creation of new user on Domain Controller.
Gathering information as a Regular User
If we are not able to capture Domain Admin hash we can still gather information about our target environment using hash of a regular user.
The attack is exactly the same.
Once we are authenticated against the DC as a regular user we gather data and dump into lootme directory as shown below.
As shown below we have gathered useful information regarding our target environment.
We can read the descriptions that the user thinks are only visible to them.
- If you don’t use IPV6 internally, the safest way to prevent mitm6 is to block DHCP6 traffic and incoming router advertisements in Windows Firewall.
- If WPAD is not in use internally, disable it.
- Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP channel binding.
In this post, we learned how to use DNS Takeover via IPv6 attack against the AD environment.
Thanks so much for reading. You can find me around the internet at the following: