Pwning IPv6 Networks: The Infamous IPv6 DNS Takeover Attack

um so hi all it's good to see you here so who here wants to see a magic here I need to see your hands up then only I will show the magic okay okay so yeah I'm going to show you attack that works like magic I hope that's fine anyway others are fine with it yeah you will see here okay so yeah I'm going to to talk about this IPv6 DNS takeover attack and the beauty about this attack is that this attack covers all the phases of a cyber kill change be it enumeration or privil escalation or persistence this attack has it all so that's the beauty of this attack so so about me uh my name is Shashi and

I work as a security consultant and Red Team lead at Red for security so at Red for security we are daing in day out in red team engagements so I'm just taking out uh one of our attacks that we regularly use at Red for security and show you here so this uh at the end of the uh my slides I will be also showing you a live demo what uh attacker can do when they are inside a network and how easy is it for them to uh basically gain control over the domain in within few minutes so yeah so we'll see that as well so yeah let's get started okay so from the morning we we have been

hearing about Insider threats Insider threats right so now I am going to Showcase what Insider threat can do when they are inside a network or what attacker can do when they get get hold of a uh entry in their Network so yeah let's assume this scenario so let's assume the scenario that V are V or let's suppose a Insider threat or attacker gets uh hold off a active directory Network and they have no no credentials or no privileges in the domain and the only thing that they have is that they are connected to the network with a machine so now what they can do to take over the domain that's the objective of attacker right so yeah

so that's the objective so now I hope you remember the very basics of computer uh computer network from your college days I hope you know about what is IPv6 ipv4 or what is a DNS or a dscp if not I will try my best to explain so yeah so I would say that the world is moving toward IPv6 that we all know right but uh in our engagements what we are seeing that in the still in the corporate environments uh the adoption of IPv6 is very slow we are see still seeing that the networks are running on ipv4 networks so the catch here is that windows by default enables the users of Ip V6 by

default so but the question here is that who who is managing IPv6 on the network since the company are using ipv4 in their Network and windows is by default enabling IPv6 by default and one more thing this IPv6 is preferred over ipv4 so where are all the DNS query goes when there is no IPv6 in the network so the answer is nowhere and no one is managing it if you see the default configuration of a window you see both the options are enabled by default that's the feature of Microsoft that's what they call it but as attackers we see this as misconfiguration so if we see here both the ipv4 and IPv6 settings are enabled

that's by default and IPv6 is preferred over ipv4 so remember that in mind so and if you see the dscp as well as the DNS settings they are also set to automatically obtain God knows from where but they set to obtain these settings automatically both the DHCP server server settings as well as the IP address of the DNS server okay so now let's also talk about a feature of Microsoft I see it as misconfiguration that's the wpad protocol which is web proxy autodiscovery protocol so what happens in an Enterprise Network Network that when a Windows system boots up it will look for the IP address of a proxy server because it wants to send its

traffic through the proxy server but it doesn't know the IP address of the proxy server so but so from where it will get the IP address of the proxy server right so the IP address of the proxy server um is a is in a file and that file is located on a wad server and where is the wad server so the window system knows that the wad server is located at the DNS name wpad do name of the domain in our case the name of the uh domain is uh delhi. bang. looc so the DNS name of the wad server is wad. delhi. bang. loal but uh still the client only knows the DNS name it

doesn't know the IP address of that server so it will make a DNS query to the IP server because that's the preferred protocol but since there is no IP I V6 DNS server in the domain it will fall back to the ipv4 uh server and then it will query or ask the ipv4 about the address of this uh the wad server and the DNS server will send back the IP address of the proy server now the client knows that the proxy server is located at this IP address now it can just query the wad server and look for that file which is wad. and in that file it has the IP add address of the proxy server and now the

window client system know know the IP address of the proxy server they can just easily send their traffic through the proxy server and out to the internet I hope that's clear so yeah we are also going to abuse this functionality as well two functionalities the default IPv6 settings and the this wpad Auto proxy protocol so yeah similarly in the Enterprise Network all the uh client system will do the same they will get the IP address of the proxy server from the wad server and then they will send all their traffic through a proxy server and why this is needed in a Enterprise Network because uh uh basically they want to see your traffic simple as it so

yeah so they will basically put uh heavy monitoring tools IPS and IDs Solution on this proxy server and they can easily monitor all the traffic of yours so yeah now this attack Works in three three phases so that's the attack phase number one so as I told you when a Windows system boots up it doesn't know its IPv6 configuration settings it doesn't know where is the IPv6 DNS server so what the client system will do it will make a DHCP query uh in the network and that DCP query is broadcast in nature okay since as I told you we are as attacker we are already inside the network we can just intercept that DHCP query and uh poison the response

and in this response we can just send back a fake response saying that hey here you go that's your IP address and that's your DNS uh server and this DNS server it will allocate it to us or to it so basically using this mitm tool we can run on the attacker machine and this will basically uh create fake configuration and set itself as the default DNS server for the domain and once the DNS server and the IP settings are set in the client machine now for all its communication or for all its name resolution it will call to us as attacker machine simply it thinks that we are the DNS server here so now yeah we are now acting as a

DNS server we can fake any of the replies so that's what we have done so as I told you the when the wi system Roots up it also looks for for the IP address of the wad server it only knows the DNS name so again since we are now the DNS uh IP V6 server it will contact us and we will just send back a fake reply saying that we are the DNS server for from now on um yeah the same thing here so using mitm6 tool we are going to create a rogue DHCP server and we advertise ourself as the default DNS server to the devices on the network from now on all the name resolution queries will come to

us and then we can use this position to intercept and alter the communication between the two devices so that's the attack phase two okay so in the attack phase two we are already the DNS server right now the Windows system will look for the wad. de file to get the IP address of the proxy server and since uh basically we are going to use another tool which which is called ntlm relay X and this ntlm relay x uh tool is going to create a fake wad server and then it will uh host a wad. de file and the de file we will again um fake the response basically we will say that to the client that uh this IP

address which is its IP address is the IP address of the proxy server so now from from now on all the traffic will go through the proxy server which is us so we can uh do lot of man things there so if you see here now let's suppose a user logs into their machine and they want to go out to dole.com and search something so since the HTTP request will come to us and what this tool will do it will in the in in response to that request it will send a HTTP 407 proxy authentication required so that's the response it will send and the silly window system thinks that yeah it's uh that uh

uh that we are basically the real um server it will just give us the response which is the H it will give us the HTTP HTTP authentication and in that HTTP authentication it will have the ntlm V2 hash of the user that is making the search query now we have the ntlm V2 hash of the user so this hash cannot be used to directly log to the systems but we can relay this hash to a domain controller where all the goodies are and then we can ask the domain controller to do malicious things for us that's what we are going to do and to summarize again since we are intercepting the IPv6 traffic using the

M tm6 Tool uh we are intercepting the authentication requests as well and then we will requ relay the authentication request to domain controller and let's suppose a domain administrator is making that authentication request so what uh can we do with the credential or the hash of the domain admins we can do a lot in the active directory environment okay so yeah that's the attack phase three we are going to perform a DC sync attack with the Privileges of the domain admin credentials so first we are going to ask domain controller to create a user for us then we are going to ask the domain controller to escalate that user to have the Privileges to perform DC sync attack

on the domain controller so what this D sync attack is in simple terms it's basically we can download the database files from the domain controller and in that database file we have the credential of all the users even the domain admin as well so yeah that's the third thing we will perform a DC sying attack and download all the data that we we need okay so yeah same thing when administrator or high pre account logs in the credentials are related to LPS on domain controller so basically we are relaying the HTTP authentication to the LF service that is running on the domain controller and we can we asking for to the domain controller to perform certain

things first create a user then create the user and give the users replication get all privileges on the domain and with that rights we can request everything out of the active directory including the password hashes of all the users that are present in the domain okay so I have a practical demo here so I will show you live that how easy it is in the active directory environments to take over the entire domain within few minutes that's what we have been doing in our red te engagements from a long time so yeah just give me 2 minutes I will be back there because of some technical difficulties I could not perform from here so yeah I will show it from the

back okay so I think you all can see my screen right so yeah we are simulating us as an attacker and we are inside the network so if you see we have the domain controllers running up here I think that's one and yeah we have our Ki machine that is connected into the local network that's uh not a network of a real corporate environment that's my local lab so yeah so first thing we are going to spoof the IP V6 uh uh traffic or I would say the IP uh V6 yeah the traffic traffic only so yeah for that I am going to use a tool called mitm and I'm going to be listening on

the a local interface that's e zero and the domain in my case is delhi. bank. loal so yeah uh in conjunction to with this uh uh tool I am going to run another tool that's called impacket ntlm relay

X yeah I can zoom it okay I hope that's visible now okay so you see uh I am running this ntlm relay X tool and the target is the lb server on the domain controller and I am enabling SMB report and here I am basically starting up a fake wpad server so the scenario here is that right now we are just inside the network and we don't have anything on the network right we don't even have the credential of of a low privilege user as well so yeah let's use this ATT tag so I'm going to create a directory called uh loot here so while this tool will do it will query the information from the domain controller and it will

pull put all the information in this directory so yeah let me run this tool and let me run this tool as well okay matm 6 okay it has already started uh poisoning responses so let's take the scenario when we are in the active directory Network and let's suppose uh in the morning time a Windows system boots up so let's do that that's a pretty normal activity right and let's see the matm 6 tool in

action okay now if you see here this tool has already poisoned the response for this web 01 server okay and if we look at the this matm tool here now if you see now the tool things that sorry the server things that we are the uh proxy server here uh sorry the we are the uh wad server here then it will ask us for the wad. that file and then from that file we can again poison that file and tell us that hey we are the proxy server and now you can send all the traffic request to me okay and the window system will send the traffic request to us and then we can ask for

the authentication and using that authentication we can do a lot of things that we are going to see now just now so let's wait so yeah that's what we also do in our engagements wait and have a cup of

coffee okay looks like this machine is not uh giving us the credentials I think so anyway let me just boot up another

machine okay okay it already worked okay so we should have wa a bit more okay if you see here we got authentication request from this uh web 01 machine that's this machine okay and then we have relayed the credentials of this machine and to the domain controller which is located at 10.0.3 and if you see the authentication is also succeed and we are basically dumping domain information from the domain controller now let me just close this uh attack and and if you see let me go into this directory if you see we how beautifully this tool has given us the information and if we like uh uh see one of the information so as I told you when

initially when we were in the network we don't have anything on the network we don't even know where are the user what are the groups uh what are the OS in the domain but if you see now we have all the necessary things with us we now have the users domain users groups when was the password set when was the password expired sometimes you get lucky and we get password in the description field so if you are thinking that's too easy but that's the reality of the corporate environment in our engagements we are seeing this regularly that the CIS admins are putting their credentials in the description field so but suppose a scenario there in which we

don't even get the credentials using this attack so yeah that's the beauty of this attack that this tool can generate credentials for us okay let's for forget this credential for now let's run this tool again okay um yeah instead of loot let me just uh add computer okay so we can even add computer or users since every user has the ability or the Privileges to add comp add 10 up to 10 computers in a domain we can let just add computer okay let's do that and what we can do okay we are already seeing some traffic okay let me do one thing let's have a simple scenario where on the web server a user is logging in okay so let

me do that let's take a normal user let's I think it name is

Richard okay the user has now logged in into their Network and let's suppose they wants to go to google.com and do their normal activity okay obviously it will not work because we are now the DNS server here I think I might have to restart this attack uh let's see let's see

okay you see it's silly but yeah if you see it has generated a username and uh I will show you where so basically this tool has basically the user that matm 6 has already poisoned the response right now what this tool has done ntlm relay X it has taken the authentication request from the riched user and then it has relate that user credentials to the uh domain controller and it has asked the domain controller to create a computer account for us and it has given the username that's the computer name as well as the password of the computer account why a user priv a normal user can do that because they have the Privileges to add up to 10 computers in

the domain so now if you see we now have a credential a valid credentials so let's verify that credential as well so let me just copy this

that's my way of uh storing information um let's use crack map exact tool to verify the credential whether the credentials are valid or not I've already tried it but yeah these are the new credential that it has generated let me just copy and the password is this okay I'm not sure where there there is a DOT there or not you will see oh if you see we see a green sign here what does a green sign means success so now we do have a valid credentials in a domain but uh we are not happy with that as an attacker we want the domain admin privileges in the domain so yeah again this attack uh can

help us with that so let's again do that so this time instead of creating a user we want to escalate this user as I uh as I have shown you in the slid we basically this tool will uh Grant deising privileges to this user or this computer account I would say so let me just copy the username this time let's escalate this

user and let's run it okay so using the credentials of Richard user we cannot do that okay so that's what it tried to do here I think this time it tried to use the credential of web 01 machine but this um basically this computer account don't have the Privileges to basically escalate that user so what let's uh again do a normal behavior this time let's uh suppose a domain admin logs into through the domain okay let's sign out this user and this time let's emulate that uh domain admin user logs into the domain which is I think that's the name of the domain and the domain admin name is administrator let me type down the

password okay now the domain admin has logged on to this web server that's a pretty normal activity all domain admin do do that in their environment again let's open Google Chrome and and this time again let's go to any site let's go to Red fox.com redox sec.com and if you see the site is down it's not the site is down it's basically we are now um we are now we are now the DNS server the attacker machine that's why it's not reaching out there so let me again just close this attack from here and then rerun the attack and let's wait okay if you see let's read so this time second so this time we are

authenticating against the domain controller and now we uh the attacker machine has the uh ntlm V2 hash of the domain administrator now what it has done using the domain admin privileges it has escalated that user and granted that user um this our user the replication get all privileges which is the deising privilege in the domain and what we can do with the Privileges of of uh with this privileges basically we can dump out the information from the domain controller so let me just do that as well I think so I'm going to use another tool called impa secret dump let me copy the

I think these are the credentials this user is now escalated basically it has the Privileges let me also copy this uh password as well and enter type down the password and if you see how within few minutes I have gained access to all the password hashes in the domain what does this password hashes include it also includes the password of the domain administrator as well as well as the kby account that is used for golden ticket but that's talk for later but yeah what's important here we have the hash of the domain uh domain administrator which is C3 D D-28 let's copy this down and let's verify it again I'm going to use crack map

exact this time I'm going to do pass the hashtag let's give admin minator there and if you see the pwn return here it means that we have Pawn the domain controller it means that we have gain control over the entire domain so you see how easy it is that in within few minutes we are completing our engagements so yeah that's how easy easy this attack is to perform so again I think where is Prashant yeah I think yeah the demo is done here and yeah sure now yeah yeah please change yeah after after this we can discuss okay wait wait wait so that was the walk walk through so these are the commands that I

used matm 6 tool to poison the DNS queries then the impacted relay X tool to um relay the credentials and this impacted secret dump tool to dump all the ntlm hashes or the password you can say from the domain controller okay so when you're running this attack you have to be very careful okay why because you are simply playing with the IP settings of the uh Network okay you are changing the DNS setting of all the client systems in the in the domain so it can bring down the uh entire entire domain so in our engagements be very careful if you're performing this attack so I will tell you how we are performing this attack at redfor security basically

we are running this attack for few minutes every hour so that it will have minimal impact on the network so if you forget if you basically if you run this attack and if you forgot about this attack that it's running it is going to break down the entire network so be very careful with this attack okay now let's talk about the mitigations how we can protect against this attack so the best way is to disable the IPv6 all together right but uh it might cause some issues in the network so what you can do you can also opt for firewall rules that will block the IPv6 traffic and hence the traffic will not reach to the

attacker or what we can do if wpad is not being used then it must be disabled using the group policy settings the best thing you can do for your domain control is to enable LP signing LP Channel wiing as well as SMB signing to prevent again all kinds of relay based attacks so that's what you can do to mitigate against these attacks all the relay best attack so this m this IPv6 is just one of the relay based attack there are more so these are the references for the tools uh and the website that you can go ahead and yeah thank you all thank you for being an amazing audience

ch