PART 0 : The Setup
The following figure depicts our lab setup which is pretty straight forward. The Lab consist of
1 Domain Controller
2 Workstations
1 Kali Machine
LDAPS should be configured on Domain Controller
PART 1 : DNS Takeover
IPv6 is one of those technologies which still remains an enigma. We all know its there but the world still moves on IPv4 hence there is little to no attention paid to IPv6. IPv6 has been enabled by default since Windows Vista yet most organizations have done little to nothing to secure it.
Since most organizations have IPv6 enabled without even knowing the consequences of security issues around them have motivated some intelligence peeps to discover ways to exploit IPv6.
In order to explain how we can exploit IPv6 to our advantage this blog post has been broken down into different parts as one Part lead to another. In this first part we will cover the groundwork required before we can do anything malicious.
In a gist, the attacker acts as an IPv6 router responsding to configuration request from our victim and assign it with an IPv6 address and an IPv6 DNS server. This DNS server is preferred over IPv4 DNS server, hence any DNS requests coming from victim can be exploited for our advantage. One of those requests is WPAD configuration. Which we exploit for our advantage.
WPAD stands for Web Proxy Auto-Discovery (WPAD). Essentially windows machine sends out these requests looking if there is a proxy server in the environment. When the attacker which is also the IPv6 DNS server get this request from the victims machine it respond with its own address. In order to get WPAD configuration the machine provides credentials which are captured by attackers machine and then used for more malicious purpose.
Following blog post does a great job summarizing it
The following are copied directly from the link above:
- An IPv6 client periodically sends out solicit packets on the local network, seeking an IPv6 router.
- When an IPv6 router is present, it sends out an advertise packet in response to the solicit packet. This advertise packet informs the client that the IPv6 router is available for DHCP services.
- The IPv6 client replies with a request packet to the DHCPv6 server, asking for an IPv6 configuration.
- Finally, the DHCPv6 server issues the IPv6 configuration to the IPv6 client, which specifies several things, including the IP address, default gateway, DNS servers, etc. This is all included in the reply packet.
In order to accomplish this attack we need following set of tools.
- mitm6: This will act as IPv6 Router during the attack.
- ntlmrelayx.py: This will capture the credentials and relay them to target machine.
Once the tools are installed we can start out attack. We start with mitm6 on our interface filtering for covid.inc domain (this was my test domain). One can clearly see the IPv6 address we are using for attackers machine.
In this specific instance we are only targetting machine named Terminator2.
kali@kali:~$ sudo mitm6 -i eth0 -d covid.inc -hw Terminator2
As shown below once can clearly see the DNS server on our victims machine before we start mitm6 tool. We can observe that the DNS server is our Domain Controller.
Below is the screen shot of victims machine after we launch mitm6 tool. Our tool responds to IPv6 request from victims computer. Once can clearly observe the address of DNS server is attackers IPv6 address.
This concludes stage 1 of the attack. In Part 2 and 3 we will cover how we can exploit this to our advantage.
PART 2: The Clumsy Domain Admin
The attack shown in Part 2 demonstrate what can be done if we are able to capture Domain Admin credentials in case they decide to log into a workstation which is using our DNS setting. In this demonstration that workstation is Terminator1.
As shown below we first start by launching the DNS attack as covered in Part 1. We then launch ntlmrelayx.py.
kali@kali:~$ sudo mitm6 -i eth0 -d covid.inc -hw Terminator1
kali@kali:~$ sudo ntlmrelayx.py -t ldaps://192.168.41.130 — delegate-access — no-smb-server -wh attacker-wpad
As shown below once the authentication against the DC succeed, it goes ahead with creation of new user on DC.
PART 3: The Regular User
If we are not able to capture Domain Admin hash we can still gather juicy information about our target environment using hash of a regular user.
The attack is similar to what we did in Part 2 except this time we run our ntlmrelayx.py with few different options. What we are doing is gathering data from Domain controller and dumping it in a directory called “loot”.
We start by launching DNS attack as covered in Part 1. The next step is to launch ntlmrelayx.py with options shown below.
kali@kali:~$ sudo mitm6 -i eth0 -d covid.inc -hw Terminator1
kali@kali:~$ sudo ntlmrelayx.py -t ldaps://192.168.41.130 -wh attacker-wpad -l lootme
Once we are authenitcated against the DC we gather data and dump into lootme directory as shown below.
As shown below we have gathered useful information regarding our target environment.
Some resources that I found really helpful. Good Luck!!!~@browninfosecguy
