I. Introduction
Although IPv6 was gradually extended over the Internet, but the use of IPv6 within the network environment, the company is still very scarce. However, most companies do not know, even if they do not take the initiative to use IPv6, but since Windows Vista, all Windows systems (including server version of the system) will enable IPv6 network, and its precedence over IPv4 networks. In this article, we describe a method of attack, this attack can abuse the default Windows network configuration IPv6, DNS server to act as a malicious fake DNS response packets, network traffic is redirected to the attacker specified endpoint. In the second phase of the attack, the attacker will use (notorious) WPAD (Windows Proxy Auto Discovery, Windows Proxy Auto-Discovery) function, passing the credentials and authentication information to various services within the network. Fox-IT released a tool called mitm6, you can implement this attack, specific code from Fox-IT's GitHub page download.
Two, IPv6 attack
To promote IPv6 speed is not fast, at the same time, the abuse of technical resources on how IPv6 is much less penetration than IPv4 technology resources. Although each book will be mentioned in each course or similar technology ARP spoofing and the like, but these references are rarely mentioned IPv6, and can be used to test IPv6 configuration tool or abuse is not much. THC IPv6 attack suite is one of the few several tools available, this tool is also a source of inspiration for the mitm6. Attack methods described in this article is the idea SLAAC attack subset, SLAAC is Alex Waters in 2011 at Infosec website an attack on the ideas put forward. SLAAC The main idea is to create a malicious IPv6 router to achieve the middleman for all traffic within the destination network (man-in-the-middle ) attack by a variety of services. Shortly thereafter, Neohapsis released called suddensix a tool that can automatically implement such attacks.
SLAAC attack methods exist shortcomings, such attacks require on the basis of existing IPv4 network on IPv6 create a cover (overlay) for all current network equipment. For penetration testing which is obviously not ideal attack scenario, because it would quickly destroy the stability of the network. Moreover, this attack relies on many external software packages and services to work properly. To address this shortcoming, mitm6 came into being. mitm6 easy to set up, can be selectively attack a specific host, forged DNS response data, while also minimizing interference with the normal operation of the target network. Just a python script you need, before you run basic no configuration, it will be able to attack in a few seconds. We set up a time-out in the tool, so when the attack is over, the entire network will be restored to its previous state within minutes.
Three, mitm6 attack
Phase 1: Primary DNS server control
First, mitm6 listens attacker on the main interface to the host, the host observed Get Windows IPv6 configuration by DHCPv6 protocol. Starting with Windows Vista, by default each Windows host will periodically request this configuration information. By gripping the Wireshark packet data as follows:
mitm6 answers the DHCPv6 these requests, assign IPv6 link-local address for these victim host. In actual IPv6 network, these addresses are automatically assigned by the host itself, completely without DHCP server is configured. In this way, IP set us the opportunity to the attacker as the default IPv6 DNS server, the DNS service provided to the victim host. Note that, at present mitm6 only for Windows-based operating systems, other operating systems (such as macOS and Linux) and does not use DHCPv6 protocol to configure DNS servers.
mitm6 not China announced itself as a gateway node, so the host within the destination network and does not attempt to communicate with the host outside the network segment or VLAN of IPv6. This can limit the impact of attacks on the whole network because mitm6 does not attempt to brokering all traffic within the network attacks, but will selectively deceive some host (the attacker can specify the required filtration process mitm6 running domain ).
mitm6 attack follows FIG. The tool can automatically detect IP configuration of the attacker's host, DHCPv6 reply within this network client sends a request message, the response message will specify the IP address of the attacker's DNS server is located. In addition, mitm6 may periodically send RA (Router Advertisment, router announcement) message to remind the client there is a current IPv6 network environment, you need to acquire IPv6 addresses through DHCPv6 protocol, which is an optional feature of mitm6. In some cases, doing so can speed up the attack speed, but this is not mandatory if the target network deployment such as RA Guard defense mechanism to protect such SLAAC attack, consider this feature is enabled.
Stage 2: DNS spoofing
在受害主机上,可以看到我们的服务器已经被配置为DNS服务器。由于Windows在处理IP协议时有先后顺序,IPv6的DNS服务器优先级会比IPv4的DNS服务器更高,因此Windows主机会向IPv6 DNS服务器查询A(IPv4)及AAAA(IPv6)记录。
接下来,我们的目标是让客户端连接到攻击者的主机,而不是合法服务器。我们的最终目标是让用户或者浏览器自动向攻击者主机发起身份认证请求,这也是我们在testsegment.local这个内部网络中进行URL欺骗的原因所在。在步骤1的截图中,你可以观察到客户端在分配了IPv6地址后,会第一时间请求wpad.testsegment.local的相关信息。我们会在本次攻击过程中利用到这一现象。
四、利用WPAD
在MS16-077之前滥用WPAD
Windows代理自动检测功能一直以来都是充满争议的一个话题,渗透测试人员多年来一直在滥用这个功能。正常情况下,企业网络环境中可以利用这一功能来自动探测网络代理,通过该代理访问互联网。保存相关信息的wpad.dat文件由某个服务器来提供,在早些时候,该服务器的地址需要使用DNS来解析,如果DNS无法解析这一地址,那么系统会通过不安全的广播协议(如链路本地多播名称解析(LLMNR)协议)来解析服务器地址。攻击者可以应答这些广播名称解析协议,对外宣称WPAD文件位于攻击者控制的服务器上,随后要求通过身份认证来访问WPAD文件。默认情况下,Windows会自动进行身份认证,无需用户交互。这样一来,攻击者就能获取到该主机上已登录用户的NTLM凭据,然后通过NTLM中继攻击,利用窃取的凭证通过通过正常服务的身份认证。
然而,微软在2016年发布了MS16-077安全公告,添加了两个重要的保护措施,以缓解这类攻击行为:
1、系统再也无法通过广播协议来解析WPAD文件的位置,只能通过DNS协议完成该任务。
2、即使服务器主动要求身份认证,系统也不会自动发起认证过程。
虽然我们在目标网络中经常可以找到没有打上全部补丁的主机,这些主机依然会通过LLMNR来请求WPAD,也会自动进行身份认证,但我们发现越来越多的公司更新了网络,此时已经无法通过老办法来利用WPAD漏洞。
在MS16-077之后利用WPAD
mitm6可以轻松绕过第一种保护机制(即只能通过DNS来请求WPAD)。一旦受害主机将攻击者的服务器设置为IPv6 DNS服务器,受害主机会立即查询网络中的WPAD配置。由于这些DNS请求会发送到攻击者主机上,因此攻击者可以使用自己的IP地址(IPv4或者IPv6地址,具体取决于受害主机请求的是哪种地址)来回复这类请求。即使该目标已经在使用WPAD文件,mitm6也能攻击成功(但此时会受害主机将无法连接至互联网)。
在第二种保护机制中,默认情况下Windows不会再提供凭证信息,此时我们需要额外做些工作才能攻击成功。当受害主机请求WPAD文件时,我们不会再去请求身份认证信息,而是为受害主机提供一个有效的WPAD文件,其中指定攻击者的主机为代理服务器。此时,如果受害主机上正在运行的应用程序使用了Windows API来连接互联网,或者受害者开始浏览网页时,自然就会使用攻击者的主机作为代理服务器。这种情况适用于Edge、IE、Firefox以及Chrome浏览器,因为默认情况下这些浏览器都会遵循WPAD系统设置。
此时,当受害主机连接到我们的“代理”服务器时,我们可以通过HTTP CONNECT动作、或者GET请求所对应的完整URI路径来识别这个过程,然后回复HTTP 407错误(需要代理身份验证),这与请求身份认证时常见的HTTP代码不同(HTTP 401)。
IE/Edge以及Chrome浏览器(使用的是IE设置)会自动与代理服务器进行身份认证,即使在最新版本的Windows系统上也是如此。在Firefox中,用户可以配置这个选项,但默认情况下该选项处于启用状态。
现在Windows会乖乖地将NTLM挑战/响应数据发送给攻击者,随后攻击者可以将这些数据转发给各种服务。在这种中继攻击场景中,攻击者可以以受害者的身份访问各种服务、获取网站信息及共享资源,如果受害者有足够高的权限,攻击者甚至可以在其他主机上执行代码或者接管整个Windows域。之前我们在其他博客中介绍了NTLM中继攻击的其他利用思路,大家可以进一步了解相关细节。
五、完整攻击过程
前面我们介绍了这种攻击方法的大致原理,攻击过程本身并不复杂。运行mitm6后,该工具会开始回复DHCPv6请求报文,应答内部网络中的DNS请求。在攻击第二阶段中,我们使用ntlmrelayx这个工具来发起中继攻击。该工具是Core Security推出的impacket库中的一个子工具,是smbrelayx工具的改进版,支持中继多种协议。Core Security以及Fox-IT最近在合作改进ntlmrelayx,添加了几项新功能,可以通过IPv6进行中继、提供WPAD文件、自动探测代理请求、以合适的方式提示受害主机进行身份认证。如果你想知道添加了哪些新功能,可���看一下GitHub上的源代码。
如果想提供WPAD文件,我们只需要在命令行中输入主机信息、-wh参数,指定托管WPAD文件的主机。由于我们可以通过mitm6控制DNS信息,因此我们可以使用受害者网络中不存在的任意主机名。为了让ntlmrelayx在IPv4以及IPv6上同时监听,我们需要使用-6参数。在如下两张图中,我们可以看到mitm6正在有选择地伪造DNS应答,而ntlmrelayx正在提供WPAD文件,然后将认证信息转发给网内的其他服务器。
六、缓解措施
For this attack, it is currently the only use of mitigation measures is to disable IPv6 network (internal network if the network does not require the use of IPv6 words). So to be able to prevent Windows host requests DHCPv6 server so that attackers can not take over a DNS server by the method described in this article.
For WPAD using the method, the best mitigation measures through Group Policy to disable automatic proxy detection. If the company network needs to use a proxy configuration file (PAC file), we recommend that companies directly specify the url address PAC, rather than relying WPAD feature to automatically detect the address.
As of this writing, Google Project Zero also found WPAD vulnerability exists, according to Google released data , disabling WinHttpAutoProxySvcis the only sure way to disable the WPAD.
Finally mention, is currently preventing a relay attack NTLM only complete solution is to completely disable related functions into Kerberos authentication mechanism. If the actual situation does not allow using this program, we can refer to our previously published an article , which describes some of the mitigation measures NTLM relay attack, you can minimize the security risks posed by such attacks.
Seven source tools
We can from Fox-IT's GitHub download mitm6 on from impacket download the latest version of the code ntlmrelayx warehouse.
This article comes from 360 passenger safety, the original address: https://www.anquanke.com/post/id/94689