IPv6 – The Unmonitored Attack Surface
Overview – Why Flat Networks Kill Security
If we had to pick one issue that shows up on almost every internal penetration test, regardless of industry or company size, it would be this:
Flat networks. No segmentation. Everything can talk to everything.
It’s not flashy. It doesn’t involve a zero day. And it’s usually not considered a “finding” anyone gets excited about fixing. But in practice, flat networks are the single biggest reason internal attacks succeed so quickly and so completely. We’ve seen environments with good EDR, strong perimeter controls, and decent patching still fall apart internally, not because those tools failed, but because the network gave the attacker freedom of movement.
What Are Flat Networks?
A flat network is one where:
● User workstations can talk to other workstations freely
● Workstations can directly reach system critical servers, think backups or certificate services
● Servers can reach domain controllers without restrictions
● VLANs exist (sometimes), but there are no meaningful access controls between them.
● “Internal” traffic is largely trusted, by default
In other words, once you’re inside, you’re everywhere. The below image demonstrates what a flat network may look like –
Why It Matters?
Flat networks make name resolution and relay attacks trivial:
● LLMNR/NBT-NS/MDNS Poisoning
● IPv6 DNS Poisoning
● NTLM Relaying
When every host can see broadcast or multicast traffic, credential interception becomes easy. If SMB or LDAP signing is missing (often the case), those credentials can usually be relayed, not cracked.
Attack Vectors
Overview – Attack Vectors
Flat networks create a multitude of attack vectors for adversaries and penetration testers alike to conduct name resolution and relay attacks (amongst other things). Below, we cover some of the common attacks conducted once the internal perimeter is breached.
1. LLMNR/NBT-NS/MDNS Poisoning
Link-Local Multicast Name Resolution (LLMNR) is a name resolution protocol that allows IPv4 and IPv6 hosts to resolve the names of other devices on the same local network without requiring a DNS server or DNS configuration.
When a DNS query fails because the DNS server cannot resolve the requested hostname, the system falls back to LLMNR. The host sends a broadcast request on the local network, allowing any other host that recognises the name to respond.
LLMNR poisoning is an attack where a malicious actor listens on a flat network for LLMNR requests and responds with their own IP address (or another IP of their choosing) to redirect the traffic. This can lead to credential theft and relay attacks in Active Directory.
This attack is further explored in the following blog post – Name Resolution Poisoning – The Attack That Won’t Die
2. IPv6 DNS Poisoning
An IPv6 poisoning attack takes advantage of the way many networks automatically trust IPv6, even when the company primarily uses IPv4.
In many environments, IPv6 is enabled by default on modern operating systems, but it is not actively monitored or properly configured. When a device joins a network, it listens for IPv6 configuration messages to learn how it should communicate. Tool known as “MITM6” abuses this behaviour by pretending to be a legitimate IPv6 infrastructure service on the local network.
When the attack is launched, the tool sends out forged network messages across the flat network that convince nearby devices that the attacker’s system is the correct gateway or DNS service for IPv6 traffic. Because the devices trust these messages, they begin sending certain network requests to the attacker instead of the real infrastructure.
Once this happens, the attacker can quietly position themselves between users and key company services. This allows them to observe traffic, manipulate responses, or redirect users to malicious systems without raising obvious alerts. In a Windows environment, this often leads to the interception of authentication requests, which can then be relayed or cracked to gain access to internal systems.
This attack is further explored in the following blog post – IPv6 – The Unmonitored Attack Surface
3. NTLM Relaying
NTLM relaying is an attack that abuses how Windows systems authenticate to one another on an internal network. Instead of stealing passwords, an attacker intercepts a legitimate authentication attempt and forwards it to another service in real time, effectively impersonating the user.
If the relayed authentication is accepted, the attacker gains access without needing credentials. Relaying to SMB can provide access to file shares or administrative functions. Relaying to Active Directory over LDAP is particularly impactful, as it can allow changes to directory objects, such as modifying permissions or creating new accounts. When relayed to MSSQL, the attacker may gain access to databases or use database permissions to further expand their control.
At a high level, NTLM relaying enables lateral movement and privilege escalation by abusing trusted authentication flows that are still common in many company networks, often without triggering obvious security alerts.
This attack is further explored in the following blog post – NTLM Relaying – When Passwords Don’t Matter
Recommendations
Overview – Recommendations
Flat networks create a multitude of attack vectors for adversaries and penetration testers alike to conduct name resolution and relay attacks (amongst other things). Below, we cover some of the common attacks conducted once the internal perimeter is breached.
How To Protect Your Business
Simple, realistic remediations – Segmentation doesn’t have to mean zero trust on day one.
● Separate users, servers, and domain controllers
● Block workstation-to-workstation SMB
● Limit access to LDAP, SMB, and RPC from user networks
● Protect domain controllers, ADCS, backup systems and other operation critical systems
● Disable LLMNR and NBT-NS where possible
● Enable SMB Signing across all Windows hosts
● Even partial segmentation dramatically raises the cost of internal attacks
Flat networks don’t usually exist because of bad intentions, they exist because they’re convenient. Unfortunately, attackers love convenience.
You can have strong passwords, modern EDR, and good patching, but if your network is flat, a single mistake can still turn into full domain compromise. Segmentation isn’t about perfection, It’s about making sure one compromised system doesn’t become everyone’s problem.
Categories
- External Infrastructure (1)
- FAQs (1)
- General (7)
- Internal Infrastructure (4)
- Penetration Testing (4)
- Web Applications (2)
Need a Security Assessment?
Our expert team is available to help you plan your next Penetration Test, Cloud Security Audit, or Cyber Essentials Assessment.
View all our security services >