A dormant IPv6 feature is a backdoor for Windows attackers, security researchers warn. Enabled by default, if unused and left unchecked, it can lead to a complete domain compromise.
IPv6 might not be widely used, but Windows enables it by default and prioritizes it over the older IPv4 version, which has very serious security repercussions.
If hackers have access to a single device on the network, even an IoT one, they can transform it into a fake configuration and DNS server. Windows computers will trust and prefer malicious instructions over the existing IPv4 configuration.
Resecurity, a cybersecurity firm, warns that this allows attackers to hijack a computer’s connections: redirect users to malicious websites, intercept credentials, and, ultimately, seize the entire network. Previously, the DNS takeover technique was also detailed by VK9 Security and other network defenders.
The researchers have detailed how attackers can achieve a complete domain compromise: a total takeover of what can be described as the corporate security nerve center.
And attackers only need minutes to perform the attack.
“By combining rogue DHCPv6 responses, DNS poisoning, WPAD abuse, and NTLM relay, attackers can stealthily escalate from unauthenticated network access to full Domain Admin control in a matter of minutes,” the Resecurity report reads.
Just a few steps to a complete takeover
Windows machines, by default, constantly request network configurations, such as the DNS server. While most users have IPv4 networks set up, this behaviour is present for IPv6, too, even if the network does not actively use it.
In the first attack phase, a hacker would need to find a way to provide the answer. While it may be hard to compromise a router, which often acts as a DHCP server for IPv4, any device can be abused to provide IPv6 configuration.
“Step 1 – become the fake DHCPv6 server,” Resercurity explains.
Even low-powered Linux IoT devices can be abused to run mitm6, an open-source pentesting tool used to take over the default DNS server, available on GitHub.
Spoofing IPv6 DNS already gives attackers a lot of control – i.e., they can divert unsuspecting users to cloned malicious websites.
However, they can also discover the domain controller and intercept users’ login credentials when they try to access a network resource.
Ultimately, the attacker presents the stolen handshake to the Domain Controller, impersonating a privileged user, and creates an account in Active Directory. From here, attackers would have complete freedom to execute commands and access resources, leading to full compromise.
The technique, dubbed “MITM6 + NTLM Relay attack,” has severe consequences for Active Directory environments.
“It combines network interception with privilege escalation techniques,” Resecurity warns.
“The MITM6 + NTLM Relay attack is a textbook example of how small configuration oversights can be chained into a full-scale Active Directory compromise.”
The security researchers urge network defenders to completely disable IPv6 if it is not in use. This will prevent malicious configurations from being processed.
IPv6 network administrators use switches and routers with RA Guard/DHCPv6 Guard to block unauthorized IPv6 advertisements and rogue DHCP servers on the network.
Other mitigations include authentication and Active Directory configuration hardening, monitoring, and detection.
Your email address will not be published. Required fields are markedmarked