A sophisticated attack chain that combines MITM6 with NTLM relay techniques to achieve full Active Directory<\/a> domain compromise.\u00a0<\/p>\n The attack exploits Windows\u2019 default IPv6 auto-configuration behavior, allowing attackers to escalate from network access to Domain Admin privileges in minutes.\u00a0<\/p>\n This technique poses significant risks to organizations running standard Windows environments, as it leverages built-in protocols rather than requiring malware or zero-day exploits.<\/p>\n Resecurity reports that the MITM6 attack targets a fundamental Windows behavior: automatic DHCPv6<\/a> requests sent when systems boot or connect to networks.\u00a0<\/p>\n Even in organizations not actively using IPv6<\/a>, Windows machines prioritize IPv6 configuration over IPv4, creating an exploitable attack surface.<\/p>\n Attackers deploy the mitm6 tool to act as a rogue DHCPv6 server, responding to these requests and assigning malicious DNS server addresses to victim machines.\u00a0<\/p>\n The command sudo mitm6 -d target.local \u2013no-ra establishes the attacker as the authoritative DNS server for the target domain.<\/p>\n The attack chain continues with ntlmrelayx from the Impacket toolkit, which intercepts NTLM authentication attempts through WPAD (Web Proxy Auto-Discovery Protocol) spoofing.\u00a0<\/p>\n The tool executes: sudo impacket-ntlmrelayx -ts -6 -t ldaps:\/\/target.local -wh fakewpad \u2013add-computer \u2013delegate-access, creating malicious computer accounts and configuring Resource-Based Constrained Delegation (RBCD).<\/p>\n Active Directory\u2019s default ms-DS-MachineAccountQuota setting allows any authenticated user to add up to 10 machine accounts, enabling attackers to create controlled computer objects, reads the report<\/a>.<\/p>\n These accounts can then modify their msDS-AllowedToActOnBehalfOfOtherIdentity attribute, allowing impersonation of privileged accounts, including Domain Administrators.<\/p>\n The attack\u2019s impact extends far beyond initial network compromise. Once successful, attackers can extract NTLM hashes using secretsdump.py \u201ctarget.local\/User:Password@target.local\u201d and conduct lateral movement with tools like CrackMapExec: crackmapexec smb 10.0.0.1\/8 -u administrator -H 1f937b21e2e0ada0d3d3f7cf58c8aade \u2013share.<\/p>\n Organizations face severe consequences, including full domain compromise, credential theft, service disruption, and potential data exfiltration.\u00a0<\/p>\n The attack\u2019s stealthy nature makes detection challenging, as it abuses legitimate Windows protocols.<\/p>\n Critical mitigation strategies include disabling IPv6 when not required, setting ms-DS-MachineAccountQuota = 0 to prevent unauthorized computer account creation, and enforcing SMB and LDAP signing to prevent relay attacks.\u00a0<\/p>\n Network-level defenses should implement DHCPv6 Guard on switches and routers to block unauthorized IPv6 advertisements.<\/p>\n This attack demonstrates how default configurations can create significant security vulnerabilities, emphasizing the need for proactive hardening of Active Directory environments and continuous monitoring for rogue network services.<\/p>\n The post New MITM6 + NTLM Relay Attack Let Attackers Escalate Privileges and Compromise Entire Domain<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. Abuses Windows IPv6 auto-config and AD's 10-machine account quota for domain compromise.
2. Uses mitm6 + ntlmrelayx to create malicious accounts with RBCD to reach Domain Admin quickly.
3. Fix: Disable IPv6, set ms-DS-MachineAccountQuota = 0, enable signing, deploy DHCPv6 Guard.<\/pre>\nIPv6 Auto-Configuration Attack<\/strong><\/h2>\n
Recommendations<\/strong><\/h2>\n
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time.\u00a0Start with an\u00a0ANYRUN sandbox trial<\/a>\u00a0\u2192\u00a0<\/code><\/strong><\/p>\n
![\"Attack](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfBbH3JmPR2u0jNr0PWgrR9gla_ks6PaWd83OsEI3fqnCWio0w6Sdmw-T7fp_ocRi2io6n-VDr_gIv3Murohl4fmap0rDsxTn7dOU4DCuwWv4U-13jcAryErWF9Y3Q7XXuKEz4beQ?key=TWIK_XpXhzPRKse1sIm6CA\")
![\"Take](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdJXiFcm6N7vqoQ1lKLYfoDhp4idNhTJzOA2DR7IakvoD1Q8MArHdXbQqG8xf9hYv7rHCRB4QNjZ7u9ppAn-yAambgywrTnfrzWT5nPhga1MZga2BJ3zARjnTeS8Ms850811KN9tw?key=TWIK_XpXhzPRKse1sIm6CA\")