Unveiling the Vulnerability: IPv6 Configuration and the MITM6 + NTLM Relay Threat to Corporations

In the realm of cybersecurity, a new threat has emerged that could potentially compromise Windows networks and Active Directory (AD) environments. This threat, known as the MITM6 + NTLM-Relay attack, serves as a wake-up call for defenders to review their AD security configuration meticulously.

The attack progresses through several steps. First, attackers set up false DHCPv6 and DNS servers, intercepting and relaying NTLM authentication attempts. They then harvest password hashes, find vulnerable hosts, and take control of compromised systems.

One of the tools used in combination with the MITM6 technique is the known tool ntlmrelayx from the Impacket Framework. This combination allows attackers to intercept and forward NTLM authentications, giving them access to credentials.

Compromised machine accounts or newly created rogue accounts can provide attackers with long-term access, even if the initial entry points are discovered and removed. With valid credentials, they can move within the network, access file shares, mail servers, and critical infrastructure, allowing them to spread malware or ransomware.

Attackers can impersonate privileged accounts, such as domain administrators, by abusing Resource-Based Constrained Delegation (RBCD) and forwarding NTLM authentication data to domain controllers, leading to full control over the Active Directory environment.

In standard configurations of Active Directory, any authenticated user can add new computer accounts, potentially being exploited to gain privileged access or complete domain takeover. Service disruption occurs during the attack due to DNS poisoning, leading to outages or performance degradation for end-users.

Data exfiltration is possible with access to sensitive accounts and systems, resulting in data breaches and compliance violations. The MITM6 + NTLM-Relay attack has severe consequences, as it combines network monitoring with techniques for privilege escalation.

To defend against this attack, several measures can be taken. Companies should disable IPv6 if not used, block DHCPv6 and Router Advertisements, segment network traffic, enforce SMB and LDAP signing, disable NTLM where possible, enable Extended Protection for Authentication (EPA), and monitor for unwanted DHCPv6 servers, unusual computer account creation or modification in AD, and NTLM relay indicators.

A cybersecurity firm, Resecurity, has uncovered the danger of the MITM6 + NTLM-Relay attack for Active Directory environments. It's crucial for companies to adopt a multi-layered strategy, reducing the attack surface, implementing strong authentication, and continuously monitoring for anomalies like unknown DHCPv6 servers or new machine accounts.

In the face of evolving threats, staying vigilant and proactive is key to maintaining the security of your network and Active Directory environment.

Unveiling the Vulnerability: IPv6 Configuration and the MITM6 + NTLM Relay Threat to Corporations