One of the best ways to hack in .Its another form of relaying and its much more reliable then the SMB Relay becuase it uses IPv6 .Chances are in most oif the computers you have Ipv6 enabled but you are using IPv4.So if we are utilizing IPv4 and IPv6 is just there who is doing DNS for that and thats where we come in .So we spoof our selves as the DNS server for IPv6 we will listen for all IPv6 messages that come in so they send all their IPv6 trafic to us and when this happened we can get authentication to the Domain Controller via LDAP or via SMB .For example when we a reebot a machine the event goes through us and we can use that machine to log in to the Domain Controller we can use that machine to also create another machine.That comes to us in the form of NTLM and we do LDAP relay over domain controller with NTLM credentials and guess what we create an account and it creates an account for us we use a tool called mitm6 .
So lets google mitm6 github and then there is one called fox-it one and we clone it in our opt folder and now cd into that folder and then lets say pip3 install . and thats it we have it installed.
This is a thing we have to do in our Server Manger so we will add a certificate and to do that we go to manage > add roles and feature > Click next 3 times and in the Server Roles select Active Directory Certificate Services and it will do pop up and we click on add feature and then we next for 3 times and then in the Role Services we do certification Authority and click next and then click restart the destination server if required and hit install and it should install.After its done click on the Flag and click on configure and it will take us to Role Services and we select Certification Authority click next till we reach Validitiy Period and select 99 years and then just click next and at the end click configure.And now lets reboot the server and gg LDAPS is configured.
So lets run mitm6 with our domain first .We run it like this
mitm6 -d DomainName
and then lets use ntlmrelayx.py with IPv6 and ldaps the 6 signifies Ipv6 and ldaps is for ldaps
[ntlmrelayx.py](<http://ntlmrelayx.py>) -6 -t ldaps://DomainControllerIP -wh fakewpad.domain.local -l lootme
-l is for loot if set this up this will dump out some information that will be usefull for us.
So Lets restart our windows 10 machine the Frank Castle one or anyone and this will speed up the process and it will send a renew reply to us with IPv6 and thats where our mitm6 will work and gg in our Ntlmrelayx it would try to authenticateit will show us what its authicating as and stuff like that on the terminal screen.Its gonna look for prevelagies that it has and it sgonna dump any usefull information in the lootme folder we set up with -l
and you can see there is soo soo much cool stuff here
and then lets try to do firefox domain_users_by_group to see that table and this is where like the sql service we set up with like the password in its description is visible to us.
And this is super duper easy to do and we normally get this IPv6 requests every 30 minutes and we can see and enumerate on who to attack with this information.And when the admin logs in the computer and ntlmrelayx will try to create to new user for us with random username and password.And now we own we get a lot lot of information for us .And if you refresh the user list on the server we will have a new user.
You can see this attacks capability here : https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/