Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that takes advantage of MS-DFSNM (Microsoft’s Dispersed File System) to get more than Windows domains.
Dragovic unveiled the script on Twitter on Saturday, together with a link to a GitHub page detailing his findings.
For context, Microsoft Lively Directory Certification Services (ADCS) is a community essential infrastructure (PKI) assistance usually utilised to authenticate users, services and equipment on a offered Windows area.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The flaw learned by Dragovic can make it attainable to deploy NTLM relay attacks to pressure a domain controller to authenticate versus a malicious NTLM relay underneath an attacker’s manage.
The malicious server would subsequently relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), permitting them to impersonate any system on the network.
If menace actors would assume the identification of a domain controller, which generally has elevated privileges, they could then execute arbitrary instructions.
There are many approaches to drive a distant server to authenticate towards a destructive NTLM relay, and the vulnerability Dragovic uncovered is just one of them.
“Spooler provider disabled, RPC filters put in to reduce PetitPotam and File Server VSS Agent Service not set up but you nevertheless want to relay DC authentication to ADCS Don’t be concerned MS-DFSNM have your again ),” the security researcher wrote in his tweet.
The proof-of-principle script is reportedly based mostly on the PetitPotam exploit, but as a substitute of working with the MS-EFSRPC protocol, it depends on the MS-DFSNM, which lets the Windows DFS to be managed above an RPC interface.
Nevertheless, because the attacks are equivalent sufficient, subsequent Microsoft’s advisory for PetitPotam may mitigate the severity of the flaw uncovered by Dragovic.
In accordance to the document, doable mitigation approaches involve enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.
Infosecurity Magazine has achieved out to Microsoft to inquire about a DFSCoerce-certain patch and will update this article with any additional opinions from the company.
Some parts of this post are sourced from:
www.infosecurity-magazine.com