It is possible to receive ntlm response with ipv6. What about ipv4?
I performed ntlm relay attack with mitm6 and ntlmrelayx. I used mitm6 for dns spoofing. When the victim sent a query containing where the DHCP is located, I identified myself as the DHCP server. Then I became proxy with WPAD so victim makes any http request through me. I responsed 407 authentication for any http request thus I catched NTLM response. Finally I relaied NTLM response to SMB and I gained shell. I got this attack and I performed PoC.
I wonder if this attack is specific to IPv6? I performed same thing for IPv4. I read that mitm6 spoofs dns in IPv4 so I used mitm6 for dns spoofing and then I started ntlmrelayx tool. But I could not catch NTLM response. So it did not work.
After that I decided to use responder for catch NTLM response with this options. responder -I "eth0" --DHCP --DHCP-DNS -FPw -v
According to my logic, since my goal is to manipulate the WPAD file, I need to takeover DNS, and to announce myself as the DNS, I need to hijack the DHCP server. Therefore, I initiated the Responder tool with the settings mentioned above.Then I started ntlmrelayx tool but again I could not catch NTLM response. I compared to IPv6 and IPv4 attack. I couldn't see 407 status code on wireshark. So why this attack did not work for IPv4?
