Total Takeover: The Attack That Seizes Your Active Directory With Default Settings

Researchers at Resecurity have drawn attention to an exceptionally dangerous attack that enables adversaries to seize full control over an organization’s Active Directory domain infrastructure—all while exploiting default Windows configurations. The technique combines MITM6, which injects a rogue IPv6 configuration, with NTLM Relay, where intercepted credentials are relayed to targeted services. This synergy effectively transforms an enterprise network into a fertile ground for compromise, even in environments where administrators do not actively use IPv6.

The weakness lies in the fact that Windows systems automatically query DHCPv6 upon startup, allowing attackers to masquerade as a fake IPv6 server. By manipulating DNS queries and the WPAD protocol, adversaries can redirect traffic, intercept authentication attempts, and launch ntlmrelayx from the Impacket toolkit to funnel captured data into LDAP. This process enables the creation of fraudulent computer accounts that can impersonate privileged users.

The situation is further exacerbated by three built-in characteristics of Active Directory:

1. At system startup, DHCPv6 traffic takes precedence, instantly exposing the attack vector.
2. By default, any domain account can register up to ten computers, courtesy of the ms-DS-MachineAccountQuota parameter.
3. Newly created computer objects can modify their own msDS-AllowedToActOnBehalfOfOtherIdentity attribute, making Resource-Based Constrained Delegation (RBCD) exploitation possible.

Together, these traits allow attackers to escalate privileges all the way to Domain Admin.

Once credentials are captured, attackers typically deploy secretsdump.py to extract password hashes and CrackMapExec to test stolen combinations across multiple systems. The final phase involves remote administration via WMIExec or PsExec, granting persistence within the infrastructure, lateral movement between hosts, and long-term access. Attackers may also employ DNS poisoning to disrupt critical services, amplifying the destructive impact.

Experts warn that the consequences of such attacks are catastrophic—ranging from credential theft and lateral spread to the deployment of ransomware. Recovering from a full domain compromise demands immense effort and time, and even then, intruders may linger in the environment long after the original vector has been closed.

To mitigate risk, specialists recommend disabling IPv6 in environments where it is unnecessary, enforcing LDAP signing and Channel Binding, restricting machine account creation, and closely monitoring anomalous DHCP events. Network segmentation offers an additional defensive layer, limiting adversarial movement across systems. Above all, this case underscores the grave danger of relying on default Windows settings and neglecting rigorous domain security hardening.