MITM6 + NTLM Relay Attack Enables Full Domain Compromise

Cybersecurity researchers are highlighting a dangerous attack technique that combines rogue IPv6 configuration with NTLM credential relay to achieve complete Active Directory domain compromise, exploiting default Windows configurations that most organizations leave unchanged.

Attack Leverages Default Windows IPv6 Behavior

The MITM6 + NTLM Relay attack exploits Windows systems’ automatic DHCPv6 requests, even in networks that don’t actively use IPv6.

Security firm Resecurity recently detailed how attackers can position themselves as rogue IPv6 DHCP servers, intercepting network communications and redirecting DNS queries to malicious servers.

The technique becomes particularly devastating when combined with NTLM relay attacks using tools like ntlmrelayx from the Impacket framework.

By spoofing Web Proxy Auto-Discovery Protocol (WPAD) services and relaying authentication attempts, attackers can capture credentials and escalate privileges across enterprise networks.

The attack’s effectiveness stems from three critical Active Directory default configurations that organizations often overlook.

First, Windows machines prioritize DHCPv6 over DHCPv4 ...