Skip to content

Commit

Permalink
README update and version bump
Browse files Browse the repository at this point in the history
  • Loading branch information
dirkjanm committed Feb 22, 2022
1 parent a39d645 commit 8e75884
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 33 deletions.
56 changes: 25 additions & 31 deletions Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,67 +18,61 @@ You can install the latest release from PyPI with `pip install mitm6`, or the la
After installation, mitm6 will be available as a command line program called `mitm6`. Since it uses raw packet capture with Scapy, it should be run as root. mitm6 should detect your network settings by default and use your primary interface for its spoofing. The only option you will probably need to specify is the AD `domain` that you are spoofing. For advanced tuning, the following options are available:

```
usage: mitm6.py [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS]
[-m ADDRESS] [-a] [-v] [--debug] [-d DOMAIN] [-b DOMAIN]
[-hw DOMAIN] [-hb DOMAIN] [--ignore-nofqdn]
usage: mitm6 [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS] [-m ADDRESS] [-a] [-r TARGET] [-v] [--debug]
[-d DOMAIN] [-b DOMAIN] [-hw DOMAIN] [-hb DOMAIN] [--ignore-nofqdn]
mitm6 - pwning IPv4 via IPv6
For help or reporting issues, visit https://github.com/fox-it/mitm6
For help or reporting issues, visit https://github.com/dirkjanm/mitm6
optional arguments:
-h, --help show this help message and exit
-i INTERFACE, --interface INTERFACE
Interface to use (default: autodetect)
-l LOCALDOMAIN, --localdomain LOCALDOMAIN
Domain name to use as DNS search domain (default: use
first DNS domain)
Domain name to use as DNS search domain (default: use first DNS domain)
-4 ADDRESS, --ipv4 ADDRESS
IPv4 address to send packets from (default:
autodetect)
IPv4 address to send packets from (default: autodetect)
-6 ADDRESS, --ipv6 ADDRESS
IPv6 link-local address to send packets from (default:
autodetect)
IPv6 link-local address to send packets from (default: autodetect)
-m ADDRESS, --mac ADDRESS
Custom mac address - probably breaks stuff (default:
mac of selected interface)
-a, --no-ra Do not advertise ourselves (useful for networks which
detect rogue Router Advertisements)
Custom mac address - probably breaks stuff (default: mac of selected interface)
-a, --no-ra Do not advertise ourselves (useful for networks which detect rogue Router Advertisements)
-r TARGET, --relay TARGET
Authentication relay target, will be used as fake DNS server hostname to trigger Kerberos auth
-v, --verbose Show verbose information
--debug Show debug information
Filtering options:
-d DOMAIN, --domain DOMAIN
Domain name to filter DNS queries on (Whitelist
principle, multiple can be specified.)
-b DOMAIN, --blacklist DOMAIN
Domain name to filter DNS queries on (Blacklist
principle, multiple can be specified.)
-hw DOMAIN, --host-whitelist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Whitelist
principle, multiple can be specified.)
-hb DOMAIN, --host-blacklist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Blacklist
principle, multiple can be specified.)
--ignore-nofqdn Ignore DHCPv6 queries that do not contain the Fully
Qualified Domain Name (FQDN) option.
Domain name to filter DNS queries on (Allowlist principle, multiple can be specified.)
-b DOMAIN, --blocklist DOMAIN, --blacklist DOMAIN
Domain name to filter DNS queries on (Blocklist principle, multiple can be specified.)
-hw DOMAIN, -ha DOMAIN, --host-allowlist DOMAIN, --host-whitelist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Allowlist principle, multiple can be specified.)
-hb DOMAIN, --host-blocklist DOMAIN, --host-blacklist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Blocklist principle, multiple can be specified.)
--ignore-nofqdn Ignore DHCPv6 queries that do not contain the Fully Qualified Domain Name (FQDN) option.
```

You can manually override most of the autodetect options (though overriding the MAC address will break things). If the network has some hardware which blocks or detects rogue Router Advertisement messages, you can add the `--no-ra` flag to not broadcast those. Router Advertisements are not needed for mitm6 to work since it relies mainly on DHCPv6 messages.

### Filtering options
Several filtering options are available to select which hosts you want to attack and spoof. First there are the `--host-whitelist` and `--host-blacklist` options (or `-hw` and `-hb` for short), which take a (partial) domain as argument. Incoming DHCPv6 requests will be filtered against this list. The property checked is the DHCPv6 FQND option, in which the client provides its hostname.
The same applies for DNS requests, for this the `--domain` option (or `-d`) is available, where you can supply which domain(s) you want to spoof. Blocking specific domains is also possible with `--blacklist`/`-b`. Both parameters can be specified multiple times to include/block multiple domains (for example `-d domain.local -d otherdomain.local -b somehost.domain.local -b somehost.otherdomain.local`).
Several filtering options are available to select which hosts you want to attack and spoof. First there are the `--host-allowlist` and `--host-blocklist` options (or `-hw` and `-hb` for short), which take a (partial) domain as argument. Incoming DHCPv6 requests will be filtered against this list. The property checked is the DHCPv6 FQND option, in which the client provides its hostname.
The same applies for DNS requests, for this the `--domain` option (or `-d`) is available, where you can supply which domain(s) you want to spoof. Blocking specific domains is also possible with `--blocklist`/`-b`. Both parameters can be specified multiple times to include/block multiple domains (for example `-d domain.local -d otherdomain.local -b somehost.domain.local -b somehost.otherdomain.local`).

For both the host and DNS filtering, simple string matching is performed. So if you choose to reply to `wpad`, it will also reply to queries for `wpad.corpdomain.com`. If you want more specific filtering, use both the whitelist and blacklist options, since the blacklist takes precedence over the whitelist.
For both the host and DNS filtering, simple string matching is performed. So if you choose to reply to `wpad`, it will also reply to queries for `wpad.corpdomain.com`. If you want more specific filtering, use both the allowlist and blocklist options, since the blocklist takes precedence over the allowlist.
By default the first domain specified will be used as the DNS search domain, if you explicitliy want to specify this domain yourself use the `--localdomain` option.

## About network impact and restoring the network
mitm6 is designed as a penetration testing tool and should thus impact the network as little as possible. This is the main reason mitm6 doesn't implement a full man-in-the-middle attack currently, like we see in for example the SLAAC attack.
mitm6 is designed as a penetration testing tool and should thus impact the network as little as possible. This is the main reason mitm6 doesn't implement a full machine-in-the-middle attack currently, like we see in for example the SLAAC attack.
To further minimize the impact, the IP addresses assigned have low time-to-live (TTL) values. The lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration.
To prevent DNS replies getting cached, all replies are sent with a TTL of 100 seconds, which makes sure the cache is cleared within minutes after the tool exits.

## Usage with ntlmrelayx
mitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario mitm6 will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections. For this you have to make sure to run ntlmrelayx with the `-6` option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD, specify the WPAD hostname to spoof with `-wh HOSTNAME` (any non-existing hostname in the local domain will work since mitm6 is the DNS server). Optionally you can also use the `-wa N` parameter with a number of attempts to prompt for authentication for the WPAD file itself in case you suspect victims do not have the MS16-077 patch applied.

## Usage with krbrelayx
You can also use mitm6 to relay Kerberos authentication, especially via DNS. To do this, use the `--relay` parameter and specify a host that you want to relay to. This host will be impersonated, and mitm6 will try to convince your victims to send authenticated dynamic updates using Kerberos authentication to krbrelayx. More info about this attack is available on the following blog: <https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/>

## Detection
The Fox-IT Security Research Team team has released Snort and Suricata signatures to detect rogue DHCPv6 traffic and WPAD replies over IPv6. The signatures are available here: https://gist.github.com/fox-srt/98f29051fe56a1695de8e914c4a2373f
4 changes: 2 additions & 2 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
reqs = ["scapy>=2.4", "twisted", "netifaces"]

setup(name='mitm6',
version='0.2.2',
version='0.3.0',
description='Pwning IPv4 via IPv6',
license='GPLv2',
classifiers=[
Expand All @@ -22,7 +22,7 @@
],
author='Dirk-jan Mollema / Fox-IT',
author_email='[email protected]',
url='https://github.com/fox-it/mitm6/',
url='https://github.com/dirkjanm/mitm6/',
packages=['mitm6'],
install_requires=reqs,
entry_points= {
Expand Down

0 comments on commit 8e75884

Please sign in to comment.