N-MITM6Credential Access

mitm6 — IPv6 SLAAC Attack

Windows prefers IPv6; advertise yourself as the IPv6 DNS server, relay authentication via wpadwpadwpad / NTLM.

§ Where this technique fits

N-MITM6 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
step 2 / 7

§ What commonly comes next

01
WPAD Proxy Auto-Config Injection
N-WPAD-INJECTION · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

mitm6 IPv6 SLAAC → NTLM relay → DA

§ What commonly comes next