Domain Admin via IPv6 DNS Takeover
ฝัง
- เผยแพร่เมื่อ 7 ก.พ. 2025
- Get my:
25 hour Practical Ethical Hacking Course: www.udemy.com/...
Windows Privilege Escalation for Beginners Course: www.udemy.com/...
In this video, we explore obtaining domain admin via IPv6 takeover with mitm6
Blogs:
dirkjanm.io/wo...
blog.fox-it.co...
❓Info❓
___________________________________________
Need a Pentest?: tcm-sec.com
Learn to Hack: academy.tcm-se...
🔹The Cyber Mentor Merch🔹
___________________________________________
teespring.com/...
📱Social Media📱
___________________________________________
Website: thecybermentor...
Twitter: / thecybermentor
Twitch: / thecybermentor
Discord: tcm-sec.com/di...
LinkedIn: / heathadams
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
/ thecybermentor
Support the stream (one-time): streamlabs.com...
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: amzn.to/31GN7iX
The Hacker Playbook 3: amzn.to/34XkIY2
Hacking: The Art of Exploitation: amzn.to/2VchDyL
The Web Application Hacker's Handbook: amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: amzn.to/31HAmVx
Linux Basics for Hackers: amzn.to/34WvcXP
Python Crash Course, 2nd Edition: amzn.to/30gINu0
Violent Python: amzn.to/2QoGoJn
Black Hat Python: amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: amzn.to/30d1UW1
EVGA 2080TI: amzn.to/30d2lj7
MSI Z390 MotherBoard: amzn.to/30eu5TL
Intel 9700K: amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: amzn.to/2M638Zb
Razer Nommo Chroma Speakers: amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: amzn.to/30hvg4P
Sennheiser RS 175 RF Wireless Headphones: amzn.to/31MOgpu
My Recording Equipment:
Panasonic G85 4K Camera: amzn.to/2Mk9vsf
Logitech C922x Pro Webcam: amzn.to/2LIRxAp
Aston Origin Microphone: amzn.to/2LFtNNE
Rode VideoMicro: amzn.to/309yLKH
Mackie PROFX8V2 Mixer: amzn.to/31HKOMB
Elgato Cam Link 4K: amzn.to/2QlicYx
Elgate Stream Deck: amzn.to/2OlchA5
*We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites. - วิทยาศาสตร์และเทคโนโลยี
![Haunt a Computer Using SSH [Tutorial]](http://i.ytimg.com/vi/M0eEwqUpKDc/mqdefault.jpg)
I hope you enjoyed this video! If so, please consider dropping a like and subscribing.
Eres un genio...a pesar de que me cuesta entender un poco por el idioma :( me ayudaste muchisimo...saludos desde Argentina
Every video i appreciate u more man !
Again thank you very much for the hard work!!
Thank you!
This is awesome. What is the severity of this vulnerability?
This is amazing, surely going to try this myself.
This is how i fooled a company into believing i worked for them. The conversion went something like this.
"I don't have a badge or ID or name tag, can I get in?"
"No of course not! We need to verify your identity!"
"I'm an enterprise admin, you can look me up."
"Name?"
"It's: wSDJQWed£"
"Oh great I see you listed, you may go through, speak to HR for an ID badge and access card!"
"Thanks, have a nice day!"
That's the story of my successful infiltration.
can anyone help?
i am not getting the loot folder on the directory and also its not authenticating
Thanks for this video. Your footages are very didactic 👍🙏
You're welcome!
Hey great video. At this point would you already need to be in the victim’s network? Would it be able to be done through fishing, sending a link to open the command? Am doing a final project for school and I chose this vulnerability.
Valuable content. Sweeeeet !
You're simply the best ! thank youuu
This is mind boggling! How on earth are you able to create a Domain Admin account without any Admin credentials? I feel like I blinked somewhere and missed something!
We're utilizing the relayed administrator hash from the login to create the creds
@@TCMSecurityAcademy Thanks! I don't really understand why the client knows the administrator hash as it is! Looks like I've got a lot more work to do...!
@@darylg3560 the client will know the hash as that's stored in the SAM database. When password is entered its encrypted and compared to the hash in database.. if both match you login
@@darylg3560 also the hashing algorithm which is used for windows authentication is NTLM which sucks and microsoft should do better
So cool! Thanks for sharing this TCM!
Good vid bud! You going to do one too on setting up an AD lab?
Yes. Incoming next week at some point. After Christmas probably!
Thanks for sharing your knowledge with us.
Is there any way to catch any of the relaying or enumeration from the blue team side? Or block the creation of the new ACL?
Can you please explain what you did when installing the AD Certificate Services? This is key to this working and i cant replicate without this information. Thanks!
This attack won't work if it didn't install. because we use ldaps.
Amazing video! Speaking about mitm, is ICMP redirect attack, deprecated ? Does it work on windows 10?
Anyway to not let it create the user which more stealthy? 😁 btw, good tut👍
what version of OPENSSL you used in this video?
Awesome sauce
This is very interesting
Nice video TCM. I assume this would also work in a Linux environment using Windows Active Directory LDAP?
As long as the credential can authenticate to the DC, yes.
Does this require the DC to have a CA installed on it so LDAPS can be used?
That is correct, yes.
A Ca on a dc is already a lose
DC= domain controller, CA= certificate authority, LDAPS= lightweight directory access protocol system?
Great video..
Can we look towards any radio frequency testing tutorial,
Is It possible?
I don't know the first thing about SDR, sorry
Can you make a video include teaching nmap from basic to advance , tip , and how to exploit from that ? Thanks so much
Check the Pentesting for n00bs series :)
8:15 so it means we are creating for us a user and the admin does not about it, did I got it right?
Well, it can be picked up by detection systems. Lots of places have alerts for when a domain admin is created.
Could you make a video to protect our self from that attack, I think I'm being attacked by it
Disable it 🤷♂️
Read the blog post provided. It talks through how to prevent.
M4V3R1C marvelous you tube cast. Thanks so much.
Man keep it lit
Very Interesting.
Can you make videos for OSCP preparation ?
Look at the Zero-to-Hero course.
I ran into a serious problem and I hope The Cyper Mentor help me in this.
I followed all the steps in the video, and When I attack ThePunisher or Spiderman computers I get the loot folder and get success for the attack, but when I do the same step for Administrator, I don't get anything... It's like doing nothing.
why is that happens?
I tried restart, logout, change user re run the scripts. all the same.
Same here...did you ever get a response?
Kindly give your Udemy course link bro
my school got ipv6 without using it :D
FBI open UP !
@@ericcolt8078 HAHAHAHAHAHA
To pull this off, you need to be sitting on a network segment where you can about sniff another user's DNS traffic, right?
If an attacker is on the local network, either physically (via a drop device) or via an infected workstation, it is possible to perform a DNS takeover using mitm6, provided IPv6 is not already in use in the network. When this attack is performed, it is also possible to make computer accounts and users authenticate to us over HTTP by spoofing the WPAD location and requesting authentication to use the rogue proxy.
Read the blogpost in the description good read !
Yes, and no. You do have to be on the same network segment, but you’re sniffing for other users DHCPv6 traffic and replying with an offer since an IPv6 DHCP scope isn’t defined. When you become the DHCPv6 server, Windows will prefer it over IPv4 DNS and lets you hijack DNS lookups and perform relaying when you intercept the authentication. One of the web pages mentioned in the video explains it in depth.
In a normal setup the switch won't route DNS requests to your PC, but only to the DNS server. With a rogue IPv6-DHCP/DHCPv6 you can advertise your own computer as DNS server, and alone from this sniff other user's DNS traffic. And then you can perform MITM. No ARP hijacking necessary anymore.
Long time we been without u ((( miss u, Master! Come baaaack with more vids please ;) 🕺🕺🕺
So defending against that attack is disabling ipv6?
No. Employ IPv6 and don't leave it unmanaged. Also use IPv6 RA guard on your switches. Similar what you do for DHCPv4 snooping.
Have a look at the mitigation section of the URL below (also featured in the video)
dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
Kyle has the correct answer.
Can anyone help me a website to download windows 10 iso images (for desktop and for server)
Does this attack works anymore?
Very much so.
This is pretty cool. Can you share at what point you would be able to run this kind of attack? I'm guessing you would already need to be in the victims network via other means to be able to run this. Correct? Also, what lens are you using with your Lumix? I'm trying to get a TH-cam channel started myself. No competition for you. Totally different take. Thanks!
DM'd already. Just noting it here so I don't forget :)
Atm I am running into all sorts of problems. ntlmrelayx gives me these errors:
[-] Exception in HTTP request handler: '>=' not supported between instances of 'int' and 'NoneType'
[-] Exception in HTTP request handler: [Errno 104] Connection reset by peer
while mitm6 tries to spoof wpad.sub.domain.tld even though I named my wpad - "fakewpad".
At one point ntlmrelayx did "something" - but failed anyways:
[*] SMBD-Thread-3: Received connection from ::ffff:192.168.1.50, attacking target ldaps://Lab-DC01.sub.domain.tld
[-] Connection against target ldaps://Lab-DC01.sub.domain.tld FAILED: invalid server address
lab-dc01.sub.domain.tld is my address.
Something is weired here. Maybe you could include your Lab-Setup into your videos so we can follow along?
I'll be releasing a lab build video next week :)
@@TCMSecurityAcademy Thats awesome!! Thanks.
The only defense against this attack that I am currently aware of is disabling IPv6 if it is not used on your internal network. should stop Windows clients querying for a DHCPv6 server however Microsoft says that certain parts of its OS may not work if you disable IPV6???? Fail bus plows into blueteam.
or to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy just read the other article.
It's a little more complex than that. The Dirk article has way more details.
Jerkjanm 😂
Dope
0 dislikes
Does this only work in localhost ?
No. It's for AD environements.
My hackers using IPv6
What’s up?
que pasa
The Cyber Mentor No mucho
I ran into a serious problem and I hope The Cyper Mentor help me in this.
I followed all the steps in the video, and When I attack ThePunisher or Spiderman computers I get the loot folder and get success for the attack, but when I do the same step for Administrator, I don't get anything... It's like doing nothing.
why is that happens?
I tried restart, logout, change user re run the scripts. all the same.