A recent study by cybersecurity researchers at Research, a cybersecurity solutions provider, has highlighted a surprisingly simple yet dangerous attack vector lurking within Windows environments that exploits default network behaviors many organizations overlook.
The attack, combining techniques known as MITM6 and NTLM relay, leverages how Windows handles IPv6 auto-configuration. Even in networks where IPv6 isn’t actively used, Windows devices automatically send out requests that can be exploited by attackers to gain control over entire Active Directory domains.
Attackers position themselves as a rogue network server, responding to Windows’ automatic IPv6 requests with malicious responses. This can lead to DNS poisoning and, crucially, allows the attacker to intercept and relay authentication credentials. Using these captured credentials, they can create new machine accounts or manipulate permissions within Active Directory, the central hub of most corporate networks.
Once inside, the attacker can escalate privileges, impersonate high-level users and move laterally across the network, and could potentially gaining full control over critical systems, including domain controllers, putting sensitive data and services at risk.
It relies heavy on default configurations, where many organizations may not have disabled IPv6 or hardened their Active Directory settings, leaving wide open a pathway for exploitation. Since low-privileged users can create new computer accounts in AD by default, attackers don’t need elevated access to start their campaign.
Prevention
Experts advise a layered approach. If IPv6 isn’t necessary, disabling it altogether can eliminate the attack surface. Network devices should also be configured to block rogue DHCPv6 responses and unauthorized IPv6 advertisements.
On the authentication front, enabling SMB and LDAP signing, restricting NTLM usage, and deploying Kerberos-only authentication can make relay attacks much more difficult.
Furthermore, organizations should review their Active Directory permissions ensuring limits on who can create or modify accounts and monitoring for unusual activity.
The findings underscore how security is not just about patching software, it’s also about understanding and configuring your environment securely from the ground up. Default settings can sometimes be the weakest link if not properly managed.
Regularly auditing account creation and changes, and network monitoring tools can also detect signs of rogue activity or DHCP servers, or abnormal authentication patterns. And staying informed about emerging attack methods and proactively adjusting configurations helps catch potential issues early.
For more detailed insights into this vulnerability and recommended mitigations, check out the full report on Resecurity’s official blog post here.
Leave a Reply