H3-2021-0022

IPV6 DNS Hijacking Possible Using Mitm6

Category	SECURITY_MISCONFIGURATION
Base Score	7.0

Description

IPV6 DNS hijacking is possible on the network. By using a rogue DHCPv6 server to assign systems an IPV6 DNS server address, a Windows network will prioritize the IPV6 address over IPV4. This allows an attacker to take over the default DNS server. Attackers can utilize this to relay the hijacked hosts to a multitude of tools in order to obtain cleartext or hashed credentials.

Impact

A captured hash credential can be cracked offline to discover the plaintext password for reuse on other systems. A hash can be used in conjunction with other tools also and be used to login to hosts, dump sensitive information such as local system passwords or run remote operating system commands. Likewise, a captured plaintext credential can be immediately used to access other systems.

References

• mitm6 - compromising IPv4 networks via IPv6
• DHCP - DHCPv6 Guard
• DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers