fbpx
cybersecurity
education
€ EUR
  • $ USD
  • € EUR

Hacks Weekly #61 – Man in the middle with MITM6 and NTLMRelay

Welcome to another episode of Hacks Weekly! 

This time, we’ll present ways of employing MITM6 and NTLMRelay for man-in-the-middle attacks and credential relaying. MITM6 exploits default Windows DNS configurations to redirect traffic to an attacker’s machine by responding to DHCPv6 messages. We’ll demonstrate how to use MITM6 in conjunction with NTLMRelay for WPAD spoofing and authentication relaying. Additionally, we’ll cover straightforward one simple method to protect against MITM6 attacks and enhance your network security. 

Get ready for a fresh dose of knowledge and valuable tips, explained step-by-step by Mike Jankowski-Lorek, PhD, Cybersecurity Expert, Director of Consulting at CQURE. 

What is MITM6? 

MITM6 is an advanced penetration testing tool that exploits default Windows DNS configurations to facilitate man-in-the-middle (MITM) attacks. It targets mainly networks where IPv6 is enabled but not actively used. By responding to DHCPv6 messages, MITM6 can redirect traffic from vulnerable Windows machines to an attacker’s system. These redirections take place because the Windows operating systems prioritize IPv6 and regularly request DHCPv6 configurations. When a client sends out a request for an IPv6 address, MITM6 listens for these requests and responds with its own configuration, assigning the attacker’s machine as the primary DNS server. 

The mechanism of attack 

  1. DHCPv6 Spoofing: MITM6 acts as a rogue DHCPv6 server. It responds to clients’ requests by providing them with a link-local IPv6 address and setting the attacker’s machine as the DNS server. As a result, the attacker is able to intercept all DNS queries made by the client and redirect them as desired.
  2. Authentication Relaying with NTLMRelay: In order to enhance the attack, MITM6 is often used together with NTLMRelay, capturing NTLM authentication requests from clients. NTLMRelay sends a malicious WPAD (Web Proxy Auto-Discovery) file, prompting clients to authenticate against the attacker’s machine instead of legitimate services. If credentials are captured, they can be later relayed to other services within the network. This can potentially lead to further, dangerous exploitation. 
  3. Traffic Manipulation: With control over DNS responses, attackers can manipulate traffic to redirect users to malicious sites or capture sensitive information. This capability makes MITM6 particularly dangerous in environments where IPv6 is not properly configured, disabled or monitored.

How to protect against MITM6 attacks? 

  1. Disable IPv6 if Not in Use: This step can significantly reduce the surface of an attack, by preventing Windows clients from sending DHCPv6 requests. As a result, it blocks hackers from responding with harmful DNS configurations.
  2. Disable WPAD (Web Proxy Auto-Discovery): If you’re not using WPAD, make sure to disable it via Group Policy settings. This will prevent the attackers from redirecting clients to authenticate against the attacker’s machine instead of legitimate services. 
  3. Implement Security Measures for Authentication: To reduce the risks associated with NTLM relaying, it is recommended to enable SMB and LDAP signing. You can also consider switching to Kerberos authentication to offer a more secure alternative to NTLM. 

Curious to uncover the practical side of man-in-the-middle attacks? Head to our video with Mike!  

Feel free to revisit this episode anytime to brush up on those cyber tips. 

Thank you for being with us, and we look forward to the next one! 

Stay curious and #stayCQURE! 

Mike
Jankowski-Lorek, Ph.D.
Cybersecurity Expert, MCT

Cybersecurity Expert, solution architect, consultant, penetration tester, and developer with more than 20 years of experience in the field. Mike holds multiple certifications, in security, database and software development. He also holds a Ph.D. in Computer Science.

All articles by Mike

You may also be interested in:

How can we help you?

Suggested searches

    Search history

      Popular searches:

      Not sure what course to look for?

      Mobile Newsletter Form