Domain Takeover Without Domain Admin Permissions

Introduction

About a year ago I was conducting an internal assessment, and it was clear that the network was vulnerable to man in the middle attacks (in this case, IPv6 was vulnerable). Despite the network vulnerability, the client did a fairly decent job of limiting domain administrator usage across the network, and I wasn’t relaying anything of value.

At some point ntlmrelayx started getting me excited by saying that user privileges were found, and that it would attempt to add a new user with enterprise…