Invoke-MassMimikatz and IPv64/IPv6 on staging machine

Question

Invoke-MassMimikatz and IPv64/IPv6 on staging machine

enigma0x3 opened this issue 10 years ago · 2 comments

When using Invoke-Mimikatz without specifying a Local IP, it fails to determine the Local IP when IPv4 and IPv6 are enabled. This is what happens if you run the current version of Invoke-MassMimikatz on a staging machine with both IPv4 and IPv6 enabled:

When digging into how Invoke-MassMimikatz determines the local IP if one isn't specified, I noticed that if IPv4 & IPv6 are both enabled, $LocalIPAddress returns the whole array instead of selecting a single IP (such as [0])

The trouble code is this:

$p = (gwmi Win32_NetworkAdapterConfiguration| Where{$_.IPAddress} | Select -Expand IPAddress);
$LocalIpAddress = @{$true=$p[0];$false=$p}[$p.Length -lt 6];

When running this on a staging machine with IPv4 & IPv6 enabled, the code above returns this:

I found the code below on an older version of Invoke-MassMimikatz. After testing, it still pulls to correct IP regardless if it is just IPv4, IPv6 or IPv4/IPv6:
$LocalIpAddress = (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null}).ipaddress[0]

The code that seems to resolve this issue was, at one point, in Invoke-MassMimikatz but was changed to the trouble code...which leads me to assume it was changed and updated for a reason. Because of that, I won't put in a pull request suggesting the update as it is really just a rollback to older code.

Here is a difference view of the current code vs the older code:

I'm sure the older code was replaced for a reason, so all I know is that if IPv4 and IPv6 are enabled, $LocalIPAddress spits an array instead of a single IP to write output back to, which prevents any output from being returned.

Answer 1 · 2015-04-15T02:10:59.000Z

I think the reason it was changed is that if ONLY IPv4 is enabled, the returned address actually isn't an array, so I tried to implement some type of detection (that was obviously botched haha). If you can think of the correct way to tweak this to work in both situations feel free to submit a pull, otherwise I'll try to take a look at it this weekend.

Answer 2 · 2015-04-15T20:20:30.000Z

Using the original code works for me:
$LocalIpAddress = (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null}).ipaddress[0]

Output:

Attacker IP configuration:

Target IP Configuration:

From my testing, the original way of grabbing the IP works for any combination of IPv4 and IPv6 on both the attacker and target. What is the purpose of the array other than selecting the first IP address? I think I'm missing something. A blonde moment on my end is highly likely :)