The MITM6 + NTLM Relay attack chain highlights how attackers can weaponize default IPv6 behavior in Windows networks and combine it with NTLM relay to escalate privileges and achieve a full Active Directory (AD) domain compromise. Even organizations that do not actively use IPv6 are exposed, as Windows systems automatically issue DHCPv6 requests. By abusing this trust, adversaries can poison DNS responses, relay NTLM authentications, and exploit Resource-Based Constrained Delegation (RBCD) to impersonate privileged accounts – ultimately seizing domain-wide control.
Severity Level: Moderate
Threat Overview
- Attack Vector – Rogue IPv6 Auto-Configuration
- Windows clients prioritize IPv6 over IPv4.
- An attacker runs MITM6 to act as a rogue DHCPv6/DNS server.
- Victim machines accept malicious DNS server assignments, enabling interception and redirection of name resolution.
- Credential Capture & Relay
- The attacker exploits WPAD (Web Proxy Auto-Discovery Protocol) to trigger NTLM authentications.
- Using ntlmrelayx (Impacket), captured credentials are relayed to LDAP/LDAPS.
- A malicious machine account is created in Active Directory.
- Abuse of Active Directory Defaults
- By default, any domain user can create up to 10 machine accounts (ms-DS-MachineAccountQuota).
- The attacker modifies the new machine object to enable RBCD (Resource-Based Constrained Delegation).
- This allows impersonation of high-privilege accounts.
- Privilege Escalation & Domain Compromise
- With RBCD in place, attackers impersonate Domain Admins or service accounts.
- Tools like secretsdump.py extract NTLM hashes and Kerberos tickets.
- Valid credentials are tested across the environment using CrackMapExec for lateral movement.
- Lateral Movement & Persistence
- Access is expanded via WMIExec, PsExec, and SMB share enumeration.
- Rogue machine accounts remain in AD for long-term persistence.
- Attackers may install additional backdoors or establish C2 channels.
- Potential Impact
- Full Domain Compromise: Complete control over AD and domain controllers.
- Credential Theft: Harvesting of NTLM hashes, Kerberos tickets, and passwords.
- Service Disruption: DNS poisoning may cause outages or degraded performance.
- Data Exfiltration: Sensitive data, intellectual property, or PII can be stolen.
- Business Risk: Regulatory fines, financial damage, and reputation loss.
Recommendations
- Disable IPv6 if not in use on all endpoints and servers to prevent rogue DHCPv6 advertisements from being accepted.
- Use switches and routers with RA Guard / DHCPv6 Guard to block unauthorized IPv6 advertisements and rogue DHCP servers on the network.
- Separate VLANs for users, servers, and domain controllers to limit lateral exposure.
- Disable WPAD where unnecessary and enforce static DNS configurations.
- Enforce SMB & LDAP Signing to prevent credential relaying.
- Migrate to Kerberos-only authentication where feasible. If NTLM is required, restrict which servers can accept NTLM authentication.
- Enable Extended Protection for Authentication (EPA)
- Set ms-DS-MachineAccountQuota = 0 to prevent low-privileged users from creating new computer accounts in the domain.
- Monitor and restrict who can configure Resource-Based Constrained Delegation (RBCD).
- Prevent Domain Admins from logging into untrusted or low-security endpoints.
- Set alerts for unusual computer account additions/modifications in AD.
- Look for NTLM Relay Indicators. Track failed authentications, proxy authentication attempts, and unusual LDAP requests.
Source:
- https://www.resecurity.com/blog/article/mitm6-ntlm-relay-how-ipv6-auto-configuration-leads-to-full-domain-compromise
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.