New DFSCoerce NTLM Relay Attack Enables Windows Domain Takeover

A new DFSCoerce Windows NTLM relay attack has been discovered that uses Microsoft’s distributed file system MS-DFSNM to completely take over a Windows domain.

Many organizations use Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service that is used to authenticate users, services, and devices on a Windows domain.

However, this service is vulnerable to NTLM relay attacks, where threat actors force or force a domain controller to authenticate against a malicious NTLM relay under the control of an attacker.

This malicious server would then forward or forward the authentication request to a domain’s Active Directory Certificate Services over HTTP and eventually get a Kerberos ticket-granting ticket (TGT). This ticket allows the threat actors to assume the identity of any device on the network, including a domain controller.

Once impersonated as a domain controller, they have elevated privileges that allow the attacker to take over the domain and execute any command.

To force a remote server to authenticate against a malicious NTLM relay, threat actors can use several methods, including the MS-RPRNMS-EFSRPC (Petit Potam), and MS-FSRVP protocols.

While Microsoft has patched some of these protocols to prevent unauthenticated coercion, bypasses are often found that allow the protocols to continue to be exploited.

A New MS-DFSNM NTLM Relay Attack

This week, security researcher Filip Dragovico released a proof-of-concept script for a new NTLM relay attack called ‘DFSCoerce‘ which uses Microsoft’s Distributed File System protocol (MS-DFSNM) to pass authentication against any server.

The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed through an RPC interface.

Philip tweet

Security researchers who tested the new NTLM relay attack told BleepingComputer that a user with limited access to a Windows domain can easily become a domain administrator.

Researchers tell BleepingComputer that the best way to prevent these types of attacks is to follow Advice from Microsoft on mitigating the PetitPotam NTLM relay attack.

These solutions include disabling NTLM on domain controllers and enabling Comprehensive protection for authentication and signing features, such as: SME signingto protect Windows credentials.

Other mitigation methods include using the built-in RPC filters or RPC firewall to prevent servers from being forced through the MS-DFSNM protocol.

However, it is currently unknown whether blocking the DFS RPC connection would cause problems on a network.

BleepingComputer has contacted Microsoft to find out if they plan to patch this new vector and will update the article with their response.

#DFSCoerce #NTLM #Relay #Attack #Enables #Windows #Domain #Takeover

Leave a Comment

Your email address will not be published.