Get a FREE Software Audit - Including Risks and Countries of Origin
Back to Blogs Back to Press Releases
ThreatLocker Blog Header: Active Directory(AD) Hardening

IPv6 Attacks: How to Harden Active Directory

Table of Contents

Defense First Mindset

Active Directory Hardening (AD) is of utmost importance in the ever-changing digital landscape as companies seek to expand and create new Infrastructure. Our commitment to your organization's security goes beyond mere information dissemination; it's about empowering you with the latest knowledge and strategies needed to defend against the relentless adversaries lurking in the digital shadows. This article presents the best practices for keeping your organization safe and the most common attacks that are still actively being sought out in the wild by threat actors.

About IPv6 Attacks

Before we dive into the attack vector me must understand what IPv6 is. Internet Protocol version 6 is the most recent version of the Internet Protocol (IP), which is the set of rules governing the format of data sent across the internet or local networks. Designed to replace IPv4, it addresses the limitation of IP addresses in the older version by using 128-bit addresses, allowing for a vastly larger number of unique IP addresses. This expansion was deemed necessary as we slowly run out of IPv4 addresses.

An IPv6 attack refers to a malicious activity that specifically targets the IPv6 infrastructure of a network. DesActive pite IPv6’s improved security features, it is not immune to cyber threats. These attacks can come in various forms, such as unauthorized data interception, denial-of-service (DoS) attacks, or reflection/amplification attacks that exploit the larger packet size of IPv6. Since IPv6 operates differently from IPv4, it requires distinct security considerations; attackers often exploit these differences or the lack of familiarity among network administrators with IPv6 security protocols.

How Hackers Exploit IPv6

Understanding how a hacker thinks is crucial. Although there are a few methods in regard to exploiting IPv6 we will be covering a Man-In-The-Middle technique via DNS takeover, as we previously discussed IPv6 is enabled by default. Furthermore, IPv6 configurations are often set to acquire an address automatically from a DHCP server. However, in many instances, network administrators do not proactively manage IPv6 configurations. Consequently, DHCP servers are typically not set up to handle IPv6 management on these networks as seen in the image below.

Screenshot of Windows Wifi and Internet Protocol settings, highlighting absence of IPv6 management on DHCP networks.
Figure 1. Wifi Properties and Internet Protocol Version 6 Properties

If an attacker's system is positioned to capture IPv6 traffic, it has the potential to intercept authentication requests and seize NTLM credentials. These credentials can then be relayed to a Domain Controller using tools like ntlmrelayx. Should the compromised authentication request originate from a Domain Administrator, the attacker is in a position to exploit those NTLM credentials to fabricate a user account within the domain for their own use. A tool such as mitm6 can facilitate this process automatically. In simpler terms if an attacker is posing as the DNS Server with mitm6 they can extract crucial AD data and automatically create an account within the victim's domain. This is triggered by a user restarting their endpoint or logging in amongst other actions.


Detecting and mitigating IPv6 attacks can pose a formidable challenge, given their often-sophisticated methods and tools. Nonetheless, organizations and individuals can adopt certain measures to defend against such attacks:

  • Disabling IPv6 when it is not in use on your internal network will stop Windows clients from searching for a DHCPv6 server, thus eliminating the possibility of seizing control over the DNS server.
  • Disable WPAD if it is not in use, this can be achieved via Group Policy (GPO).
  • Enable LDAP signing to forestall unsigned connections to LDAP.
  • Implement SMB signing, obligating all traffic to be signed, to hinder relaying to SMB.

ThreatLocker Mitigation

Our Team at ThreatLocker has automated the mitigation of IPv6 attacks through Configuration Manager. We have created a Configuration Manager policy titled “Disable IPv6”. If you wish to apply it to your environment, follow these steps:

  1. Select Modules
  2. Select Config Manager
  3. Select New Policy
  4. Set the Policy Level for your organization
  5. Select the dropdown for configuration
  6. Under AD Hardening Policies Select “Disable IPv6”
  7. Select Create Policy
Screenshot of ThreatLocker Configuration Manager Policy Creation for Disabling IPv6
Configuration Manager Policy Creation