Skip to content

Commit

Permalink
Small fixes and docs update - release v0.2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
dirkjanm committed Feb 2, 2018
1 parent 997bc8c commit 2b998d9
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 11 deletions.
36 changes: 29 additions & 7 deletions Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,20 @@ You can install the latest release from PyPI with `pip install mitm6`, or the la
After installation, mitm6 will be available as a command line program called `mitm6`. Since it uses raw packet capture with Scapy, it should be run as root. mitm6 should detect your network settings by default and use your primary interface for its spoofing. The only option you will probably need to specify is the AD `domain` that you are spoofing. For advanced tuning, the following options are available:

```
usage: mitm6 [-h] [-d DOMAIN] [-i INTERFACE] [-4 ADDRESS] [-6 ADDRESS]
[-m ADDRESS] [-a] [-v] [--debug]
usage: mitm6.py [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS]
[-m ADDRESS] [-a] [-I] [-v] [--debug] [-d DOMAIN] [-b DOMAIN]
[-hw DOMAIN] [-hb DOMAIN] [--ignore-nofqnd]
mitm6 - pwning IPv4 via IPv6
For help or reporting issues, visit https://github.com/fox-it/mitm6
optional arguments:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain name to filter DNS queries on (Whitelist
principle, multiple can be specified.)
-l LOCALDOMAIN, --localdomain LOCALDOMAIN
Domain name to use as DNS search domain
-i INTERFACE, --interface INTERFACE
Interface to use (default: autodetect)
-l LOCALDOMAIN, --localdomain LOCALDOMAIN
Domain name to use as DNS search domain (default: use
first DNS domain)
-4 ADDRESS, --ipv4 ADDRESS
IPv4 address to send packets from (default:
autodetect)
Expand All @@ -48,10 +48,32 @@ optional arguments:
-v, --verbose Show verbose information
--debug Show debug information
Filtering options:
-d DOMAIN, --domain DOMAIN
Domain name to filter DNS queries on (Whitelist
principle, multiple can be specified.)
-b DOMAIN, --blacklist DOMAIN
Domain name to filter DNS queries on (Blacklist
principle, multiple can be specified.)
-hw DOMAIN, --host-whitelist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Whitelist
principle, multiple can be specified.)
-hb DOMAIN, --host-blacklist DOMAIN
Hostname (FQDN) to filter DHCPv6 queries on (Blacklist
principle, multiple can be specified.)
--ignore-nofqnd Ignore DHCPv6 queries that do not contain the Fully
Qualified Domain Name (FQDN) option.
```

You can manually override most of the autodetect options (though overriding the MAC address will break things). If the network has some hardware which blocks or detects rogue Router Advertisement messages, you can add the `--no-ra` flag to not broadcast those. Router Advertisements are not needed for mitm6 to work since it relies mainly on DHCPv6 messages.

### Filtering options
Several filtering options are available to select which hosts you want to attack and spoof. First there are the `--host-whitelist` and `--host-blacklist` options (or `-hw` and `-hb` for short), which take a (partial) domain as argument. Incoming DHCPv6 requests will be filtered against this list. The property checked is the DHCPv6 FQND option, in which the client provides its hostname.
The same applies for DNS requests, for this the `--domain` option (or `-d`) is available, where you can supply which domain(s) you want to spoof. Blacklisting is also possible with `--blacklist`/`-b`.

For both the host and DNS filtering, simple string matching is performed. So if you choose to reply to `wpad`, it will also reply to queries for `wpad.corpdomain.com`. If you want more specific filtering, use both the whitelist and blacklist options, since the blacklist takes precedence over the whitelist.
By default the first domain specified will be used as the DNS search domain, if you explicitliy want to specify this domain yourself use the `--localdomain` option.

## About network impact and restoring the network
mitm6 is designed as a penetration testing tool and should thus impact the network as little as possible. This is the main reason mitm6 doesn't implement a full man-in-the-middle attack currently, like we see in for example the SLAAC attack.
To further minimize the impact, the IP addresses assigned have low time-to-live (TTL) values. The lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration.
Expand Down
5 changes: 2 additions & 3 deletions mitm6/mitm6.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,14 @@ def __init__(self, args):

self.debug = args.debug
self.verbose = args.verbose
self.invertdns = args.invertdns
# End of config

# Target class - defines the host we are targetting
class Target(object):
def __init__(self, mac, host, ipv4=None):
self.mac = mac
self.host = str(host)
# Make sure the host is in unicode
self.host = host.decode("utf-8")
if ipv4 is not None:
self.ipv4 = ipv4
else:
Expand Down Expand Up @@ -306,7 +306,6 @@ def main():
parser.add_argument("-6", "--ipv6", type=str, metavar='ADDRESS', help="IPv6 link-local address to send packets from (default: autodetect)")
parser.add_argument("-m", "--mac", type=str, metavar='ADDRESS', help="Custom mac address - probably breaks stuff (default: mac of selected interface)")
parser.add_argument("-a", "--no-ra", action='store_true', help="Do not advertise ourselves (useful for networks which detect rogue Router Advertisements)")
parser.add_argument("-I", "--invertdns", action='store_true', help="Invert DNS whitelist principle, do intercept ONLY domains specified by -d/--domain")
parser.add_argument("-v", "--verbose", action='store_true', help="Show verbose information")
parser.add_argument("--debug", action='store_true', help="Show debug information")

Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
reqs = ["scapy-python3", "twisted", "netifaces"]

setup(name='mitm6',
version='0.1.1',
version='0.2.0',
description='Pwning IPv4 via IPv6',
license='GPLv2',
classifiers=[
Expand Down

0 comments on commit 2b998d9

Please sign in to comment.