A sophisticated cyberattack technique has emerged, combining MITM6 and NTLM relay methods to achieve full compromise of Active Directory domains. This attack exploits Windows’ default IPv6 auto-configuration behavior, enabling attackers to escalate privileges from basic network access to Domain Administrator rights within minutes.
Understanding the Attack Mechanism
The attack leverages Windows’ automatic IPv6 configuration, a feature where systems send DHCPv6 requests upon booting or connecting to a network. Even in environments not actively utilizing IPv6, Windows machines prioritize IPv6 over IPv4, creating a potential vulnerability.
Attackers deploy the ‘mitm6’ tool to act as a rogue DHCPv6 server, responding to these requests and assigning malicious DNS server addresses to victim machines. By executing the command `sudo mitm6 -d target.local –no-ra`, the attacker establishes themselves as the authoritative DNS server for the target domain.
Following this, the ‘ntlmrelayx’ tool from the Impacket toolkit is used to intercept NTLM authentication attempts through WPAD (Web Proxy Auto-Discovery Protocol) spoofing. The command `sudo impacket-ntlmrelayx -ts -6 -t ldaps://target.local -wh fakewpad –add-computer –delegate-access` allows the creation of malicious computer accounts and the configuration of Resource-Based Constrained Delegation (RBCD).
Active Directory’s default setting, `ms-DS-MachineAccountQuota`, permits any authenticated user to add up to 10 machine accounts. Attackers exploit this by creating controlled computer objects and modifying their `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute, enabling impersonation of privileged accounts, including Domain Administrators.
Potential Consequences
The ramifications of this attack extend beyond initial network compromise. Once successful, attackers can extract NTLM hashes using tools like `secretsdump.py` and conduct lateral movement with utilities such as CrackMapExec. This can lead to full domain compromise, credential theft, service disruption, and potential data exfiltration. The attack’s stealthy nature makes detection challenging, as it abuses legitimate Windows protocols.
Mitigation Strategies
To defend against this attack, organizations should consider the following measures:
1. Disable IPv6 if Unused: If IPv6 is not required, disabling it can prevent Windows clients from querying for a DHCPv6 server, thereby mitigating the risk.
2. Set `ms-DS-MachineAccountQuota` to 0: This prevents unauthorized creation of computer accounts, reducing the attack surface.
3. Enforce SMB and LDAP Signing: Enabling signing for SMB and LDAP can prevent relay attacks by requiring all traffic to be signed.
4. Implement DHCPv6 Guard: Deploying DHCPv6 Guard on switches and routers can block unauthorized IPv6 advertisements, thwarting rogue DHCPv6 servers.
This attack underscores how default configurations can create significant security vulnerabilities. It emphasizes the need for proactive hardening of Active Directory environments and continuous monitoring for rogue network services.
