IPv6 DNS take-over via mitm6 - compromising IPv4 networks via IPv6

By on

 Compromising IPv4 networks via IPv6


While IPv6 adoption is gaining traction, company networks that use IPv6 internally are quite rare. However, most companies are unaware that while IPv6 might not be actively in use, all Windows versions since Windows Vista (including server variants) have IPv6 enabled and prefer it over IPv4.


In this write-up, we explore an attack that abuses the default IPv6 configuration in Windows networks to spoof DNS replies by acting as a malicious DNS server and redirect traffic to an attacker specified endpoint or relay.


We can abuse this exact functionality to gain control over the network and potentially dump the NTLM hashes from ntds.dit, create user, add user to privilege group e.g. Enterprise Admin, etc present in the domain controller. The ntds.dit file is a database that stores information about user objects, groups and group memberships, and password hashes for all users in the domain


This attack attempts a DNS takeover in a network via IPv6 using mitm6, which listens for IPv6 DNS requests, spoofs the DNS reply and passes it to ntlmrelayx. Ntlmrelayx captures NTLM credentials obtained through a fake WPAD proxy and relays them to an authentication service. Once it succeeds in authentication, it dumps the domain information. This attack can be built upon to get all the NTLM hashes from the domain.


There are multiple stages on this attack:

IPv6 DNS Spoofing

Relaying Credentials


1. IPv6 DNS Spoofing


To spoof IPv6 DNS traffic, we will be using the tool mitm6.

mitm6 acts as an IPv6 DHCP server and will listen on the primary interface of the attacker machine for any incoming DHCPv6 configuration requests. As mentioned earlier, Windows prefer IPv6 by default and will request DHCPv6 configuration regularly. mitm6 will reply to those requests and assign an IPv6 address to the targets in the specified domain. It will also set the attacker as the primary DNS server.


┌──(root㉿kali)-[/opt/mitm6]

└─# mitm6 -d tesla.local




2. Relaying Credentials thru ntlmrelayx


We can capture the traffic of the domain. However, to request the credentials, we would need an authentication mechanism. That is where WPAD abuse comes in.


Web Proxy Auto-Discovery (WPAD) is a protocol to ensure all devices on a network use the same web proxy configuration. Instead of manually configuring web proxies for each machine, network administrators can use WPAD to automatically detect the proxy configuration URL, which will be stored in a Proxy Auto-Configuration (PAC) file. By default, the clients query the DNS server for the URL of the PAC file. If a PAC file is found, all the web requests will be routed through the proxy configured in the PAC file.


Since we are acting as the DNS server, we can host a fake WPAD for the victim, which sets the web proxy to the attacker’s IP address when queried. Now, whenever the victim uses any application that connects to the internet, it will use our machine as a proxy. Once connected, the proxy server (attacker machine) responds with an HTTP 407:Proxy Authentication required, prompting the Windows machine to send us the NTLM challenge/response. This can be relayed to different authentication services such as LDAPS, SMB or HTTP.


┌──(root㉿kali)-[/opt/mitm6]

└─# ntlmrelayx.py -6 -t ldaps://192.168.220.143 -wh fakewpad.tesla.local -l lootme






This command serves a WPAD URL called "fakewpad.tesla.local" to the victim to set the attacker’s IP as the proxy and relays the NTLM challenge/response captured to the LDAPS server for authentication. Once authenticated, it dumps all the domain information to the loot folder as HTML files like the one shown below.




In this example, we will open the extracted dumps from the loot folder and open it with "Firefox" to display the gathered "Domain" information. Let's try to open the "domain_users_by_group.html".


 ┌──(kali㉿kali)-[/opt/mitm6/lootme]

└─$ firefox domain_users_by_group.html 







If the credentials of a privileged user such as a Domain Admin, Enterprise Admin is captured, ntlmrelayx, apart from relaying and authenticating the user it also modifies the access control lists (ACLs) of Domain Controller to create a new user with the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges as shown below. 




We can use this newly created user to dump the ntds hashes using "secretsdump.py" by performing a DCSync attack.








Mitigation:


IPv6 poisoning abuses the fact that Windows queries for an IPv6 address even in IPv4-only environments. If IPv6 is not in use internally, the safest way to block mitm6 is to block DHCPv6 traffic and incoming router advertisement in Windows Firewall via Group Policy. Disabling IPv6 entirely may have adverse side effects. Setting the following predefined rules to Block instead of Allow prevents the attack from working.

-Firewall rules can be placed to block IPv6 traffic. These rules can be set to Block to prevent the attack:
-(Inbound) Core Networking – Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
-(Inbound) Core Networking – Router Advertisement(ICMPv6-ln)
-(Outbound) Core Networking – Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)

-If WPAD is not being use internally, it must be disabled using group policy by disabling the WinHttpAutoProxySvc service

-Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP Channel binding, as well as SMB signing can also prevent this attack to a certain extent

-Assigning Administrative users to Protected users/groups can prevent delegation and impersonation, this will prevent any impersonation of the user via delegation




Comments

Post a Comment

Popular posts from this blog

GOAD Active Directory LAB Setup on a Windows host

By on
Image
 In this write-up, I am going to explain how I set up the GOAD Active directory lab from my Windows host using VMware, along with a number of errors and steps and procedure I went through how I fixed them. GOAD (Game of Active Directory) lab is created by Orange Cyberdefense to provide pentesters a ready-to-use, vulnerable AD environment in which to practise common attack methods. As described in the Github page, “the lab is intended to be installed from a Linux host”, but it is still possible to successfully install the lab from a Windows host. I did not want to install the lab inside a virtual Ubuntu machine, as nested virtualisation would slow down performance too much. On high level, my setup will look like: Windows host: with Vagrant installed to run the VMs on VMware. VMware Pro: with Ubuntu 22.04 VM installed to run ansible playbooks to make the AD vulnerable. In this environment, there are two different available labs: GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD...
Read more

My Short Analysis - Redline Infostealer

By on
Image
  In this write up, Let's tear up a specific sample of Infostealer malware and deep dive into some of its functions. This is just short analysis of Redline Infostealer malware and it is intended for educational and entertainment purposes only. The reason for picking up this sample is because of its significant and rampant in the cybercrime ecosystem. One of the most common and prolific malware stealers out there in the wild. Distributed in the cybercrime marketplace and the dark web. So, without further ado let's take a look on this malware and unravel some of its functions. Executive Summary: RedLine Stealer is a malicious program that harvest users’ confidential data from browsers, systems, installed software, credit card information and domain information of enterprise environment. It also infects operating systems with other malware. Distributed in underground forums for sale as standalone ($100/$150 depending on the version) or on a subscription basis ($100/month). This ma...
Read more

Regular expressions - Notes

By on
Image
  Regular expressions - Notes Introduction What are regular expressions? Regular expressions (or Regex) are patterns of text that you define to search documents and match exactly what you're looking for. Why should I learn how to use them? Even if you won't need them sooner or later, it's a great tool to know how to use. It will make you more capable in CTF's, and potentially a better developer if that's a goal you have. You spend a little time learning it and save yourself lots of time in the long run by using it. I know all that, but I'm lazy. This is a lazy person's tutorial. There's a little reading, and then you  learn by doing . Where's the 'Deploy' button? There's no machine to deploy.  There are two ways to test your expressions. Either: create a text file with some test paragraphs (in a Unix machine) and then use  egrep <pattern> <file>  to see what matches and what doesn't, or use an online editor like  https://r...
Read more