惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
The GitHub Blog
The GitHub Blog
博客园 - 【当耐特】
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Announcements
Recent Announcements
D
Docker
GbyAI
GbyAI
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Cloudflare Blog
雷峰网
雷峰网
A
About on SuperTechFans
小众软件
小众软件
博客园 - Franky
博客园 - 聂微东
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
V2EX
Engineering at Meta
Engineering at Meta
宝玉的分享
宝玉的分享
aimingoo的专栏
aimingoo的专栏
量子位
P
Proofpoint News Feed
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
罗磊的独立博客
Martin Fowler
Martin Fowler
D
DataBreaches.Net
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
Project Zero
Project Zero
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
S
Schneier on Security
Blog — PlanetScale
Blog — PlanetScale
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Security Latest
Security Latest
NISL@THU
NISL@THU
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
J
Java Code Geeks

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
MITM6 Strikes Again: The Dark Side of IPv6
Kassie Kimball · 2023-02-15 · via Black Hills Information Security, Inc.

Dale Hobbs //

As the world becomes increasingly connected through the internet, cyber attacks have become more sophisticated and prevalent. One type of attack that you may not have heard of is the Machine-in-the-Middle IPv6 (MITM6) attack. In this article, we’ll explore what MITM6 attacks are, how they work, and what you can do to protect yourself and your organization against them. 

What is an MITM6 Attack? 

MITM6  is a type of attack that involves intercepting and manipulating the communication between two parties. In this attack, the attacker positions themselves between the two parties and acts as a proxy, allowing them to intercept and alter the communication between the parties. 

One common method for carrying out an MITM6 attack is through the use of a rogue IPv6 DHCP server. The attacker can set up a rogue DHCP server and advertise itself as the default DNS server to devices on the network. When a device sends a request to communicate with another device, the rogue router intercepts the request and establishes a connection with the target device on behalf of the original sender. The attacker can then use this position to intercept and alter the communication between the two devices. 

DNS Takeover attacks via IPv6 

Typically, people are running IPv4 on their networks. However, IPv6 is also enabled by default on your network. If you look at the network adapter properties on your system, you will likely find that IPv6 is turned on, even though you’re using IPv4. 

To top it off, IPv6 is most likely set to obtain an IPv6 address automatically from a DHCP server, but in most cases, people are not actively managing IPv6 on the network. As such, DHCP is usually not configured to manage IPv6 on the network.  

This brings up the question: who or what is providing DNS services for IPv6 on the network? A majority of the time, the answer to that is nobody and nothing!  

This means that an attacker can set up a system to listen for IPv6 DNS requests and respond to them by telling the client to send all of its IPv6 traffic to the attacker’s system. Often, this can allow an attacker to get authentication to a Domain Controller via LDAP or SMB.  

How, you ask? Well, when an attacker’s machine is intercepting IPv6 traffic, they can intercept authentication requests, intercept the NTLM credentials, and relay them using ntlmrelayx to a Domain Controller. If the relayed authentication request was from a Domain Administrator, the attacker can then use that NTLM credential to create a user account for themselves on the domain. The best part about this is that the mitm6 tool automagically does all of this for you.  

Let’s walk through what this attack looks like. First things first, you need to download and install the mitm6 tool from https://github.com/dirkjanm/mitm6. Once that’s done, simply run the tool as seen below. In my case, the domain we’re testing with is called adlab.com; you should replace it with your own domain name.  

As you can see, we pretty quickly started to see IPv6 requests on the network indicating that IPv6 addressing is not managed on the network. 

Next, we’re going to set up ntlmrelayx to relay the requests to LDAPS on a domain controller, send the client a fake WPAD file, and automatically dump out any information we find to a folder called ‘loot’ on the local system. As you can see below, a connection request came in, our attacking system relayed the connection attempt to the Domain Controller at 192.168.190.200, and successfully authenticated.  

impacket-ntlmrelayx -6 -t ldaps://192.168.190.200 -wh fakewpad.adlab.com -l loot 

Now, if we look in our ‘loot’ directory, we can see we’ve collected a lot of information such as the computers and users on the domain, as well as the domain password policy.  

This in itself is incredibly useful, as we now have a list of domain users that we could launch password attacks against. But wait… there’s more! As luck would have it, an administrator logged in to a computer on the network, and we can see that the users’ credentials were relayed to LDAPS and created a user account on the domain for us.  

So now we have a user account on the domain named ‘NbuCuQKhZW’ with a password of ‘v(Zt<)J_Snii$uo’. If we look in Active Directory, we can confirm that the user account was created. 

Not only did it create an account for us, but it created the account with an ACL (Access Control List) providing the user account with the ‘Replication-Get-Changes-All’ privileges on the domain. The ‘Replication-Get-Changes-All’ right in Active Directory allows you to request everything out of Active Directory including password hashes. If we look at the ACL for domain, we can confirm that the user account has ‘Replication-Get-Changes-All’ privileges on the domain.

So now that we have a privileged user account on the domain, we can use a tool like secretsdump.py to perform a DCSync against the domain controller and download all of the password hashes from the domain. (mitm6 was even kind enough to suggest using secretsdump.py).

impacket-secretsdump -just-dc-ntlm adlabs.com/[email protected]

Secretsdump will prompt for the password of the user account, in this case that user account was ‘NbuCuQKhZW’ with the password ‘v(Zt<)J_Snii$uo’.

As you can see in the image above, we have successfully dumped the users and password hashes from the domain. These can now be taken offline to a password cracking system where you can use a password cracker such as Hashcat to attempt to crack the passwords.

How Can You Protect Yourself Against MITM6 Attacks?

MITM6 attacks can be difficult to detect and prevent, as they often involve sophisticated techniques and tools. However, there are steps that organizations and individuals can take to protect against these types of attacks:

  • Disabling IPv6 if it is not used on your internal network will prevent Windows clients from querying for a DHCPv6 server thereby making it impossible to take over the DNS server.
  • Disable the Proxy Auto detection via Group Policy. If your company uses a proxy configuration file internally (PAC file) it is recommended to explicitly configure the PAC URL instead of relying on WPAD to detect it automatically.
  • In order to prevent NTLM relaying you should consider disabling it entirely and switch to Kerberos or, if that isn’t possible, you should:
    • enable SMB signing to prevent relaying to SMB by requiring all traffic to be signed
    • enable LDAP signing to prevent unsigned connections to LDAP
  • Enable extended protection for authentication which will prevent some relaying attacks by ensuring that the TLS channel used for the connection to the server is the same that the client uses when authenticating.

In conclusion, MITM6 attacks are a serious threat to the security of your communication. By properly managing IPv6 on your network, you can help protect yourself and your organization against these types of attacks.



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand