New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover

Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that takes advantage of MS-DFSNM (Microsoft’s Dispersed File System) to get more than Windows domains.

Dragovic unveiled the script on Twitter on Saturday, together with a link to a GitHub page detailing his findings.

For context, Microsoft Lively Directory Certification Services (ADCS) is a community essential infrastructure (PKI) assistance usually utilised to authenticate users, services and equipment on a offered Windows area.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The flaw learned by Dragovic can make it attainable to deploy NTLM relay attacks to pressure a domain controller to authenticate versus a malicious NTLM relay underneath an attacker’s manage.

The malicious server would subsequently relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), permitting them to impersonate any system on the network.

If menace actors would assume the identification of a domain controller, which generally has elevated privileges, they could then execute arbitrary instructions.

There are many approaches to drive a distant server to authenticate towards a destructive NTLM relay, and the vulnerability Dragovic uncovered is just one of them.

“Spooler provider disabled, RPC filters put in to reduce PetitPotam and File Server VSS Agent Service not set up but you nevertheless want to relay DC authentication to ADCS Don’t be concerned MS-DFSNM have your again ),” the security researcher wrote in his tweet.

The proof-of-principle script is reportedly based mostly on the PetitPotam exploit, but as a substitute of working with the MS-EFSRPC protocol, it depends on the MS-DFSNM, which lets the Windows DFS to be managed above an RPC interface.

Nevertheless, because the attacks are equivalent sufficient, subsequent Microsoft’s advisory for PetitPotam may mitigate the severity of the flaw uncovered by Dragovic.

In accordance to the document, doable mitigation approaches involve enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.

Infosecurity Magazine has achieved out to Microsoft to inquire about a DFSCoerce-certain patch and will update this article with any additional opinions from the company.