2025-12-13 –, Clappy Monkey Track
Most organisations assume IPv6 is “not in use.” In reality, it’s silently enabled on modern operating systems and creates an attack surface defenders rarely monitor.
In this 45-minute session, I’ll walk through the full IPv6 attack chain I’ve used in penetration testing engagements, from a single rogue packet to domain persistence. Using a pre-recorded demo, I’ll show how attackers spin up rogue DHCPv6/DNS servers, push malicious configurations, capture authentication traffic, and relay credentials into Active Directory. Abuse cases include credential relaying, domain machine joins, and Active Directory Certificate Services (ADCS) exploitation.
Then we’ll flip to the defender’s view. I’ll highlight Indicators of Compromise that signal rogue IPv6 activity, such as unexpected DNS/DHCPv6 advertisements and anomalous neighbour announcements, along with practical detection queries and hardening strategies for Windows-heavy environments.
IPv6 is quietly enabled by default across Windows environments, even when administrators believe they’re “IPv4 only.” This hidden surface can be weaponised by attackers to perform stealthy internal compromises that often bypass traditional monitoring.
This talk walks through how red teamers abuse IPv6 using tools like MITM6 and NTLMRelayX. We’ll start with a rogue DHCPv6/DNS server issuing malicious configurations to unsuspecting clients. From there, we’ll see how captured authentication traffic can be relayed into Active Directory for impact including credential relaying, information gathering, unauthorised domain machine joins, and Active Directory Certificate Services (ADCS) abuse.
A pre-recorded demo will show the attack chain in action, step by step. Then we’ll pivot to the blue team perspective, covering Indicators of Compromise defenders can hunt for: unexpected DNS advertisements, anomalous DHCPv6 traffic, and rogue neighbour announcements. Finally, we’ll look at practical mitigations for Windows-heavy networks, from tuning detection rules to disabling IPv6 where it’s not required.
Attendees will leave with a clear understanding of how IPv6 attacks work in practice, what traces they leave behind, and how to build effective detection and defence strategies against them.
Felix Meggison is a Red Team Operator with over six years of experience in offensive security, specialising in adversary emulation, Active Directory exploitation, and cloud-native attack simulation. He has led red team operations across multiple sectors, delivering realistic attack scenarios that test both technical controls and organisational resilience. Passionate about bridging the gap between red and blue teams, Felix often turns attack insights into practical detection strategies. His recent focus has been on IPv6-based internal attacks and their often-overlooked detection opportunities.