Relaying Kerberos with MiTM6 - CVE-2025-20929

In this episode of Weekly Purple Team, we explore a critical flaw in Windows Kerberos client behavior that allows attackers to coerce any domain user into requesting Kerberos tickets for attacker-chosen services. Using a modified version of the classic MiTM6 tool with added CNAME abuse capabilities, we demonstrate how DNS poisoning enables on-demand, cross-protocol relay attacks against SMB, HTTP, and other services—even targeting user accounts on default Windows configurations.

🔴 RED TEAM PERSPECTIVE:
Watch as we demonstrate the Kerberos CNAME abuse relay attack using MiTM6:

Leveraging MiTM6-Kerberos-CNAME-Abuse for DNS poisoning
Cross-protocol relay attacks (HTTP to ADCS, SMB relay, etc.)
ESC8 attack chain: MiTM6 DNS MITM → Kerberos relay → Certificate enrollment
Combining MiTM6 with krbrelayx.py for automated exploitation

🔵 BLUE TEAM DETECTION:
More importantly, we demonstrate defensive strategies to detect this technique:

Detecting DHCPv6 and Router Advertisement anomalies (MiTM6 indicators)
SIEM rules for detecting this at the host level
Jupyter notebook threat hunting workflows

Why This Matters:
MiTM6 has long been a powerful tool for IPv6-based network attacks. This modified version adds Kerberos CNAME abuse capabilities, making it even more dangerous. Unlike previous Kerberos relay techniques, which were limited to machine accounts or specific conditions, this method works reliably against user accounts in default Windows configurations. When DNS queries return CNAME records, Windows follows the alias and constructs TGS requests using the CNAME hostname—allowing attackers with a DNS MITM position to redirect Kerberos authentication to any service.

Key Takeaways:
✅ How MiTM6 enables IPv6-based network attacks
✅ DNS CNAME response manipulation of Kerberos authentication flows
✅ Cross-protocol relay attack chains (DNS → Kerberos → ADCS)
✅ Detection strategies for MiTM6

Attack Chain Demonstrated:
MiTM6 DHCPv6/RA poisoning for DNS MITM position
The victim queries DNS for a legitimate service
MiTM6 responds with CNAME pointing to the relay target
Windows follows CNAME and requests TGS for the attacker's service
Relay Kerberos authentication to ADCS for certificate enrollment
Privilege escalation can now occur via a compromised certificate

🔗 Resources:
MITM6-Kerberos-CNAME-Abuse Tool: https://github.com/BenZamir/MITM6-Ker...
Original MiTM6: https://github.com/dirkjanm/mitm6
Threat Hunting Notebooks: https://github.com/BriPwn/ThreatHunti...
Cymulate Blog Post: https://cymulate.com/blog/kerberos-au...
krbrelayx: https://github.com/dirkjanm/krbrelayx
Tools Used or Mentioned:

⚠️ Disclaimer:
This content is for educational and research purposes only. Always conduct security testing in authorized environments with proper permissions. Unauthorized access to computer systems is illegal.
#CyberSecurity #PurpleTeam #Kerberos #ActiveDirectory #ThreatDetection #DetectionEngineering #ADCS #RedTeam #BlueTeam #InfoSec #DNS #AuthenticationRelay #CVE202520929 #MiTM6

Chapters
00:00 Introduction
01:07 Executing MiTM6 and KrbRelayX
04:10 Detecting MiTM6 Usage
07:14 Outro