December 2, 2022

TheCyberThrone

Thinking Security ! Always

DFSCoerce – NTLM Relay Attack

Researchers has published a new DFSCoerce Windows NTLM relay attack that uses MS-DFSNM (Microsoft’s Distributed File System) to take over Windows domains.

Microsoft Active Directory Certificate Services (ADCS) is a public key infrastructure (PKI) service typically used to authenticate users, services and devices on a given Windows domain.

Advertisements

By using the flaw it is possible to deploy NTLM relay attacks to force a domain controller to authenticate against a malicious NTLM relay under an attacker’s control. Subsequently it will relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), allowing them to impersonate any device on the network.

By assuming the identity of a domain controller, which normally has elevated privileges, attackers could then execute arbitrary commands. To force a remote server to authenticate against a malicious NTLM relay, numerous methods are there and this vulnerability is one of them.

The PoC script is reportedly based on the PetitPotam exploit, but instead of using the MS-EFSRPC protocol, it relies on the MS-DFSNM, which allows the Windows DFS to be managed over an RPC interface.

Even though the attacks are similar enough, following Microsoft’s advisory for PetitPotam may mitigate the severity of the flaw discovered by researchers.

Advertisements

The possible mitigation strategies include enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.

This research/vulnerability was discovered by security researcher Filip Dragovic

%d bloggers like this: