Cybersecurity researchers are highlighting a dangerous attack technique that combines rogue IPv6 configuration with NTLM credential relay to achieve complete Active Directory domain compromise, exploiting default Windows configurations that most organizations leave unchanged.
Attack Leverages Default Windows IPv6 Behavior
The MITM6 + NTLM Relay attack exploits Windows systems’ automatic DHCPv6 requests, even in networks that don’t actively use IPv6.
Security firm Resecurity recently detailed how attackers can position themselves as rogue IPv6 DHCP servers, intercepting network communications and redirecting DNS queries to malicious servers.
The technique becomes particularly devastating when combined with NTLM relay attacks using tools like ntlmrelayx from the Impacket framework.
By spoofing Web Proxy Auto-Discovery Protocol (WPAD) services and relaying authentication attempts, attackers can capture credentials and escalate privileges across enterprise networks.
The attack’s effectiveness stems from three critical Active Directory default configurations that organizations often overlook.
First, Windows machines prioritize DHCPv6 over DHCPv4 during network initialization, creating an immediate attack vector.
Second, any authenticated domain user can add up to ten machine accounts without special privileges through the ms-DS-MachineAccountQuota attribute.
Third, computer accounts can modify their own msDS-AllowedToActOnBehalfOfOtherIdentity attribute, enabling Resource-Based Constrained Delegation (RBCD) abuse.
These seemingly benign defaults create a perfect storm for privilege escalation. Once attackers control a machine account, they can configure RBCD to impersonate privileged accounts, including Domain Administrators, ultimately gaining complete control over the entire domain infrastructure.
The attack follows a systematic approach. Attackers first establish themselves as fake DHCPv6 servers using mitm6, then relay intercepted authentication attempts to LDAP services.
This process automatically creates malicious computer accounts with impersonation capabilities.
Subsequently, tools like secretsdump.py extract password hashes from compromised systems, while CrackMapExec tests stolen credentials across entire network ranges to identify accessible hosts.
The final stage involves using extracted credentials with tools like WMIExec or PsExec to gain remote system control, enabling lateral movement and persistent access across the compromised network.
Security experts warn that successful MITM6 + NTLM Relay attacks result in catastrophic consequences. Beyond immediate domain compromise, organizations face credential theft, widespread lateral movement, and potential ransomware deployment.
The attack can disrupt essential services through DNS poisoning while providing attackers with persistent access even after initial entry points are discovered.
Cybersecurity professionals recommend immediate defensive measures, including disabling IPv6 if unused, implementing LDAP signing and channel binding, and restricting machine account creation privileges.
Organizations should also monitor for suspicious DHCP activities and implement network segmentation to limit lateral movement potential.
The attack’s reliance on default configurations underscores the critical importance of security hardening in enterprise environments.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
