DHCPv6 spoofing
Theory
DHCPv6 spoofing and poisoning
By default on Windows environments, IPv6 is enabled and has priority over IPv4. Usually, IPv6 is neither used nor configured. When a Windows machine boots or gets plugged in the network, it asks for an IPv6 configuration through a DHCPv6 request. Since DHCPv6 works in multicast, attackers on the same network can answer the DHCPv6 queries and provide the clients with a specific IP config. The IP config will include a rogue DNS server address (actually, for mitm6, it will include two addresses, one IPv4 and one IPv6). This technique is called DHCPv6 spoofing.
DNS spoofing
Attackers can then proceed to DNS spoofing. Once the clients DNS servers are set through the fake IP config pushed through DHCPv6 spoofing, each client will query the attacker's server for every domain name resolution. The attacker's server will redirect the clients to other rogue servers that will be able to capture or relay authentications.
Practice
Combining DHCPv6 spoofing with DNS spoofing can cause temporary but severe disruption in the network. It is highly recommended to target specific addresses and machines.
mitm6 (Python) is an all-in-one tool for DHCPv6 spoofing + DNS poisoning. The following command can be run to make mitm6 redirect internal traffic only.
bettercap (Go) can also be used for DHCPv6 spoofing and DNS spoofing.
References
Last updated