A sophisticated attack chain that combines MITM6 with NTLM relay techniques to achieve full Active Directory domain compromise.
The attack exploits Windows’ default IPv6 auto-configuration behavior, allowing attackers to escalate from network access to Domain Admin privileges in minutes.
Key Takeaways
1. Abuses Windows IPv6 auto-config and AD's 10-machine account quota for domain compromise.
2. Uses mitm6 + ntlmrelayx to create malicious accounts with RBCD to reach Domain Admin quickly.
3. Fix: Disable IPv6, set ms-DS-MachineAccountQuota = 0, enable signing, deploy DHCPv6 Guard.
This technique poses significant risks to organizations running standard Windows environments, as it leverages built-in protocols rather than requiring malware or zero-day exploits.
IPv6 Auto-Configuration Attack
Resecurity reports that the MITM6 attack targets a fundamental Windows behavior: automatic DHCPv6 requests sent when systems boot or connect to networks.
Even in organizations not actively using IPv6, Windows machines prioritize IPv6 configuration over IPv4, creating an exploitable attack surface.
Attackers deploy the mitm6 tool to act as a rogue DHCPv6 server, responding to these requests and assigning malicious DNS server addresses to victim machines.
The command sudo mitm6 -d target.local –no-ra establishes the attacker as the authoritative DNS server for the target domain.
The attack chain continues with ntlmrelayx from the Impacket toolkit, which intercepts NTLM authentication attempts through WPAD (Web Proxy Auto-Discovery Protocol) spoofing.
The tool executes: sudo impacket-ntlmrelayx -ts -6 -t ldaps://target.local -wh fakewpad –add-computer –delegate-access, creating malicious computer accounts and configuring Resource-Based Constrained Delegation (RBCD).
Active Directory’s default ms-DS-MachineAccountQuota setting allows any authenticated user to add up to 10 machine accounts, enabling attackers to create controlled computer objects, reads the report.
These accounts can then modify their msDS-AllowedToActOnBehalfOfOtherIdentity attribute, allowing impersonation of privileged accounts, including Domain Administrators.
Recommendations
The attack’s impact extends far beyond initial network compromise. Once successful, attackers can extract NTLM hashes using secretsdump.py “target.local/User:[email protected]” and conduct lateral movement with tools like CrackMapExec: crackmapexec smb 10.0.0.1/8 -u administrator -H 1f937b21e2e0ada0d3d3f7cf58c8aade –share.
Organizations face severe consequences, including full domain compromise, credential theft, service disruption, and potential data exfiltration.
The attack’s stealthy nature makes detection challenging, as it abuses legitimate Windows protocols.
Critical mitigation strategies include disabling IPv6 when not required, setting ms-DS-MachineAccountQuota = 0 to prevent unauthorized computer account creation, and enforcing SMB and LDAP signing to prevent relay attacks.
Network-level defenses should implement DHCPv6 Guard on switches and routers to block unauthorized IPv6 advertisements.
This attack demonstrates how default configurations can create significant security vulnerabilities, emphasizing the need for proactive hardening of Active Directory environments and continuous monitoring for rogue network services.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
