ID05 | IPv6
IPv6 is enabled by default and takes precedence of IPv4 for its DHCP and DNS. This allows poisoning of machines that look up for a DHCPv6 server (by setting ourselves as the DHCPv6 server).
References:
Fox-IT (mitm6 - compromising IPv4 networks via IPv6)
crusher blog (Combining NTLM Relaying and Kerberos delegation)
Table of availables actions, states, and targets
Vulnerability ID |
Trigger available |
Default state |
Default target |
|---|---|---|---|
05 | GPO |
Yes |
Present |
srv02 |
Launch
Enable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/05.yml --extra-vars "action=enable"
Disable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/05.yml --extra-vars "action=disable"
Trigger
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/05.yml --extra-vars "action=trigger"
Tip
You may need to use this command multiple times if no poisoning is happening.
Implementation
Enable
IPv6 is enabled by default.
To enable it back after disabling it, a set of firewall rules
are enabled and set to Allow.
Reference:
Disable
A set of firewall rules are enabled and set to Block.
Reference:
Trigger
The target machine is restarted so that an IPv6 lookup can be triggered. A DHCPv6 server can then pick on any IPv6 solicitation.
Note: restarting the server is (for now) the most efficient way I found to trigger IPv6 lookups.
Reference:
Customization
You can choose another target than the default one.
host_name = srv01 | srv02
action = enable | disable | trigger
Caution
Setting dc01 in the host_name variable is not recommended
as it’s the domain controller, and may fail interesting attacks on IPv6.
Example with srv01:
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/05.yml --extra-vars "action=trigger host_name=srv01"