mitm6 IPv6 SLAAC → NTLM relay → DA

§ Context

Assumed environment: attacker on the LAN. Domain joined Windows clients with default network settings (IPv6 enabled, DHCPv6 enabled). LDAP signing not enforced.

§ Steps

1. 01
   Foothold on LANInitial Access

   T1078— Valid Accounts
2. 02
   Write msDS-AllowedToActOnBehalfOfOtherIdentityLateral Movement

   AD-RBCD— Resource-Based Constrained Delegation (RBCD) Abuse
3. 03
   S4U2self → Admin on targetLateral Movement

   T1550.003— Pass the Ticket
4. 04
   DCSync via the new admin hostCredential Access

   T1003.006— DCSync
5. 05
   ntlmrelayx → LDAPS, --delegate-accessCredential Access

   T1557.001— LLMNR/NBT-NS Poisoning and SMB Relay
6. 06
   Start mitm6 (IPv6 DNS poison)Credential Access

   N-MITM6— mitm6 — IPv6 SLAAC Attack
7. 07
   Serve wpad.datCredential Access

   N-WPAD-INJECTION— WPAD Proxy Auto-Config Injection

§ References

• T1078Valid Accounts
• T1550.003Pass the Ticket
• T1003.006DCSync
• T1557.001LLMNR/NBT-NS Poisoning and SMB Relay

§ Frequently asked

What is the "mitm6 IPv6 SLAAC → NTLM relay → DA" attack path?

Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Foothold on LAN (T1078) — a initial access primitive. Assumed environment: attacker on the LAN.

What is the final impact of this kill-chain?

The final step lands on Serve wpad.dat (N-WPAD-INJECTION), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  PetitPotam + ADCS ESC8 → Domain Controller takeover

  Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.

• Shared techniques3

  Unconstrained delegation → Capture DC TGT → DCSync

  Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.

• Shared techniques3

  ADCS ESC1 → Domain Admin

  A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.

• Shared techniques3

  ADCS ESC11 → certificate via RPC (no web enrollment)

  When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.

• Shared techniques3

  MachineAccountQuota abuse → RBCD takeover of a server

  Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.

• Shared techniques2

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.