3 min to read
mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server.
It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server.
Dependencies and installation
mitm6 is compatible with both Python 2.7 and 3.x. You can install the requirements for your version with pip install -r requirements.txt.
For python 2.7, it uses the ipaddress backport module. You can install the latest release from PyPI with pip install mitm6, or the latest version from source with python setup.py install after cloning this git repository.
After installation, mitm6 will be available as a command line program called mitm6. Since it uses raw packet capture with Scapy, it should be run as root. mitm6 should detect your network settings by default and use your primary interface for its spoofing. The only option you will probably need to specify is the AD domain that you are spoofing. For advanced tuning, the following options are available:
usage: mitm6.py [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS] [-m ADDRESS] [-a] [-v] [--debug] [-d DOMAIN] [-b DOMAIN] [-hw DOMAIN] [-hb DOMAIN] [--ignore-nofqnd] mitm6 - pwning IPv4 via IPv6 For help or reporting issues, visit https://github.com/fox-it/mitm6 optional arguments: -h, --help show this help message and exit -i INTERFACE, --interface INTERFACE Interface to use (default: autodetect) -l LOCALDOMAIN, --localdomain LOCALDOMAIN Domain name to use as DNS search domain (default: use first DNS domain) -4 ADDRESS, --ipv4 ADDRESS IPv4 address to send packets from (default: autodetect) -6 ADDRESS, --ipv6 ADDRESS IPv6 link-local address to send packets from (default: autodetect) -m ADDRESS, --mac ADDRESS Custom mac address - probably breaks stuff (default: mac of selected interface) -a, --no-ra Do not advertise ourselves (useful for networks which detect rogue Router Advertisements) -v, --verbose Show verbose information --debug Show debug information Filtering options: -d DOMAIN, --domain DOMAIN Domain name to filter DNS queries on (Whitelist principle, multiple can be specified.) -b DOMAIN, --blacklist DOMAIN Domain name to filter DNS queries on (Blacklist principle, multiple can be specified.) -hw DOMAIN, --host-whitelist DOMAIN Hostname (FQDN) to filter DHCPv6 queries on (Whitelist principle, multiple can be specified.) -hb DOMAIN, --host-blacklist DOMAIN Hostname (FQDN) to filter DHCPv6 queries on (Blacklist principle, multiple can be specified.) --ignore-nofqnd Ignore DHCPv6 queries that do not contain the Fully Qualified Domain Name (FQDN) option.
If the network has some hardware which blocks or detects rogue Router Advertisement messages, you can add the –no-ra flag to not broadcast those. Router Advertisements are not needed for mitm6 to work since it relies mainly on DHCPv6 messages.
Network Impact mitm6 is designed as a penetration testing tool and should thus impact the network as little as possible. This is the main reason mitm6 doesn’t implement a full man-in-the-middle attack currently, like we see in for example the SLAAC attack. To further minimize the impact, the IP addresses assigned have low time-to-live (TTL) values. The lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration. To prevent DNS replies getting cached, all replies are sent with a TTL of 100 seconds, which makes sure the cache is cleared within minutes after the tool exits.