Written by Joe Helle, Security Engineer
As the world continues to run out of IPv4 addresses, developers and software engineers have made the push towards utilizing IPv6 network spaces. And this makes sense as it has a nearly unlimited amount of addresses available. Unfortunately, IPv6 can be confusing and difficult to manage, and the ease of IPv4 subnetting and addressing makes it oftentimes undesirable in the enterprise environment.
The vulnerabilities surrounding IPv6 do not come from its lack of popularity, however, but rather its lack of responsible management. Modern operating systems will prioritize IPv6 DNS and addressing first, leaving a significant security gap for attackers.
Security researchers and malicious actors alike have realized this and developed tools such as mitm6 (man-in-the-middle 6) and ntlmrelayx. These tools allow a non-joined machine in a domain to step in as the IPv6 DNS service, functioning as a proxy that permits the capture of domain information, NTLM and NTLMv2 hashes, proxy connections to machines, and more.
Domain User Information Disclosure
Exploiting Unmanaged IPv6 DNS
Exploitation is straightforward and can easily be conducted using easy to obtain tools, many of which are default installations on current Kali Linux distributions. Once an attacker has access to the internal domain network, whether through a joined work account, or an un-joined endpoint via wireless or insecure ethernet ports, they can run tools like mitm6 and ntlmrelayx with little mitigation.
Any time a user endpoint in the domain attempts to authenticate or access DNS services, the attacker’s machine will proxy that information for them, capturing valuable data, user hashes, and even creating domain user accounts with DCSync privileges.
As you can see above, an attacker simply waits for traffic to begin coming in (these attacks work best at the beginning of the workday when employees are first accessing services). As users authenticate to domain services, in this case, LDAPS, ntlmrelayx captures NTLMv2 hashes and can leverage privileged user accounts to create new user accounts as seen above.
The attacker can use tools such as Hashcat or John the Ripper to crack the NTLMv2 hashes collected, or, if a privileged user creates a new account, utilize DCSync privileges to dump all user and administrator hashes on the domain controller (as seen below).
Once an attacker has access to these hashes it’s game over, so to speak, as they can now access any workstation in the domain, to include the controller.
As you have seen, unmitigated IPv6 DNS services in the enterprise domain environment can be easily exploited. Unfortunately, there are not a lot of options for the systems and network administrators to use to prevent it.
Disabling IPv6 is the easiest solution, and the one we recommend the most, however, it does come with its own side effects. Disabling WPAD Proxy Auto detection via group policy can help prevent some of these attacks but is not a complete solution. Some IDS/IPS vendors can identify rogue DHCPv6 and WPAD traffic, however, this isn’t fully secure either as tools and techniques evolve quicker than solutions oftentimes.
If you are concerned about the possibility of this type of attack in your enterprise environment and need technical guidance on prevention, our certified Microsoft team can assist.
Additionally, the security team at Integration Partners conducts testing for this vulnerability on every internal penetration test conducted, and are happy to help your organization determine if you’re domain is secure.