From DNS to Domination: DNS Takeover Demystified with mitm6
In this blog post, we will be exploring the territory of DNS takeover, a strategic maneuver in the world of Network Penetration testing. Our guide through this intricate landscape is none other than the potent tool — mitm6.
IPv6 DNS takeover occurs when an attacker exploits vulnerabilities in the Domain Name System (DNS) and the IPv6 protocol to redirect or manipulate DNS queries and responses, ultimately gaining control over the DNS resolution process. This can lead to traffic interception, data theft, and various forms of cyber attacks.
Although the usage of IPv6 is growing across the internet, it’s relatively uncommon to find corporate networks that implement IPv6 internally. Surprisingly, many businesses are unaware that even if they aren’t actively utilizing IPv6, all Windows versions from Windows Vista onwards, including server editions, come with IPv6 enabled by default and prioritize it over IPv4.
Exploiting the preconfigured IPv6 settings within Windows networks, this technique involves falsifying DNS responses, effectively posing as a malicious DNS server. The outcome is the rerouting of network traffic towards a destination designated by the attacker.
What happens when a misconfigured IPv6 and a mischievous hacker walk into a bar together?
Well, you get mitm6 — but trust me, it’s not your typical punchline!
mitm6 is a pentesting tool created by Dirk-jan Mollema, that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server.
As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server.
NTLMrelayX and mitm6 : An unstoppable Hacking Alliance
NTLMrelayX is one of the awesome tools provided in Impacket.
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1–3 and MSRPC) the protocol implementation itself.
mitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario mitm6 will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections.
Consequently, a malicious actor could establish a setup that actively listens for IPv6 DNS queries, promptly instructing the client to channel all IPv6 communication towards the attacker’s infrastructure. In many cases, this exploit opens the door for the attacker to gain access to a Domain Controller through LDAP or SMB authentication.
The attacks presented are performed in an AD home lab environment. You are encouraged to setup your own and perform these attacks for better understanding.
Demonstration
Now we will see how can we takeover DNS and also gain access to a machine using LDAP authentication.
Step-1 : Invoking mitm6
mitm6 -d <Domain>
Step-2 : Setting up the relay.
ntlmrelayx.py -6 -t ldaps://<DC_IP> -wh <HOSTNAME> -l lootmeWe will run ntlmrelayx with the -6 option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD,we willspecify the WPAD hostname to spoof with -wh HOSTNAME .
When a event occurs in a machine like rebooting a machine that will allow us to take that event and relay it to a domain controller
Now, we will restart a machine to speed up the process and we can see that we were able to authenticate to a machine.
After authentication ntlmrelayx performs a ldap domain dump which provides us with quite a bit of information for us. These file can be found in Lootme folder which we specified when we were setting up the relay.
We can take a look at these files and get some juicy information about the Domain.
Bonus Part : Getting that Initial Access
As mentioned previously, an inital access can be obtained via authentication through ldaps.
Now if an administrator tries to login to a compromised machine and it succeeds, ntlmrelayx is gonna create a access control list or ACL for us and is gonna set us with a new user and password.
We can gain access the compromised machine via these credentials.
Mitigation Strategies
MITM6 attacks can be difficult to detect and prevent, as they often involve sophisticated techniques and tools. However, there are steps that organizations and individuals can take to protect against these types of attacks:
- Disabling IPv6 if it is not used on your internal network will prevent Windows clients from querying for a DHCPv6 server thereby making it impossible to take over the DNS server.
- Disable the Proxy Auto detection via Group Policy. If your company uses a proxy configuration file internally (PAC file) it is recommended to explicitly configure the PAC URL instead of relying on WPAD to detect it automatically.
- In order to prevent NTLM relaying you should consider disabling it entirely and switch to Kerberos or, if that isn’t possible, you should:
- enable SMB signing to prevent relaying to SMB by requiring all traffic to be signed
- enable LDAP signing to prevent unsigned connections to LDAP
- Enable extended protection for authentication which will prevent some relaying attacks by ensuring that the TLS channel used for the connection to the server is the same that the client uses when authenticating.
If you want to learn more about this, you can read the following blogpost which will help you to understand this attack more thoroughly.
Conclusion
the journey from DNS to domination, though accompanied by ethical considerations, unveils the intricate dance between technology, security, and human ingenuity.
Remember, the digital domain is not merely a playground; it’s a battleground where the forces of good and ill engage in a perpetual struggle. Ethical hacking, such as that involving mitm6, serves as a powerful tool to fortify our defenses, expose vulnerabilities, and ultimately contribute to a safer online world.
