# MITM and coerced auths In Active Directory domains, attackers often rely on coerced authentications and MitM (man in the middle) techniques to operate lateral movement, especially when attempting authentication relaying attacks (e.g. [NTLM relay](broken://pages/PFGlaZOk9WQQxTsZmSJ0)) or when [abusing Kerberos delegations](/ad/movement/kerberos/delegations.md). These techniques enable attackers to redirect traffic or redirect/force targets authentications. Attackers will then be able, in certain cases, to capture credentials or relay authentications. I'm using "coerce" instead of "force" in this category's title since some technique can rely on a bit of social engineering to work. There are many ways attackers can do MitM or redirect/force targets authentications, most of which can be combined for maximum impact (and minimum stealth). {% hint style="danger" %} **This page is a work-in-progress** {% endhint %} | MITM Technique | [ADIDNS](/ad/movement/mitm-and-coerced-authentications/adidns-spoofing.md) | [LLMNR](/ad/movement/mitm-and-coerced-authentications/llmnr-nbtns-mdns-spoofing.md) | [NBNS](/ad/recon/network/nbt-ns.md) | [DHCPv6](/ad/movement/mitm-and-coerced-authentications/dhcpv6-spoofing.md) | [ARP](/ad/movement/mitm-and-coerced-authentications/arp-poisoning.md) | [DNS](/ad/movement/mitm-and-coerced-authentications/dns-spoofing.md) | [WPAD](/ad/movement/mitm-and-coerced-authentications/wpad-spoofing.md) | [PrinterBug](broken://pages/sbHEBTh7GvLgHedLOgWJ) | [PrivExchange](/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md) | | --------------------------------------------------------------------- | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------ | -------------------------------------------------------------------------- | --------------------------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------------------------------------- | | Can require waiting for replication/syncing | x | | | | | | | | | | Easy to start and stop attacks | | x | x | takes \~5 minutes to revert | revert time depends on targets arp cache timeout (usually \~60 sec | x | x | x | x | | Exploitable when default settings are present | x | x | x | x | x | x | x | x | up to 2019 | | Impacts fully qualified name requests | x | not if wildcard ADIDNS record exists | not if wildcard ADIDNS record exists | x | | x | | | | | Requires constant network traffic for spoofing | | x | x | x | x | x | x | | | | Requires domain credentials | x | | | | | | | x | requires emails-capable account | | Requires editing AD | x | | | | | | | | | | Requires privileged access to launch attack from a compromised system | | x | | | x | x | | | | | Targets limited to the same network segment as the attacker | | x | x | x | x | | | x | x | | Disruption | low | low | low | low to high | low to high | low to high | low to high | none | none | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.