• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover

You are here: Home / General Cyber Security News / New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover
June 21, 2022

Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that takes advantage of MS-DFSNM (Microsoft’s Dispersed File System) to get more than Windows domains.

Dragovic unveiled the script on Twitter on Saturday, together with a link to a GitHub page detailing his findings.

For context, Microsoft Lively Directory Certification Services (ADCS) is a community essential infrastructure (PKI) assistance usually utilised to authenticate users, services and equipment on a offered Windows area.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The flaw learned by Dragovic can make it attainable to deploy NTLM relay attacks to pressure a domain controller to authenticate versus a malicious NTLM relay underneath an attacker’s manage.

The malicious server would subsequently relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), permitting them to impersonate any system on the network.

If menace actors would assume the identification of a domain controller, which generally has elevated privileges, they could then execute arbitrary instructions.

There are many approaches to drive a distant server to authenticate towards a destructive NTLM relay, and the vulnerability Dragovic uncovered is just one of them.

“Spooler provider disabled, RPC filters put in to reduce PetitPotam and File Server VSS Agent Service not set up but you nevertheless want to relay DC authentication to ADCS Don’t be concerned MS-DFSNM have your again ),” the security researcher wrote in his tweet.

The proof-of-principle script is reportedly based mostly on the PetitPotam exploit, but as a substitute of working with the MS-EFSRPC protocol, it depends on the MS-DFSNM, which lets the Windows DFS to be managed above an RPC interface.

Nevertheless, because the attacks are equivalent sufficient, subsequent Microsoft’s advisory for PetitPotam may mitigate the severity of the flaw uncovered by Dragovic.

In accordance to the document, doable mitigation approaches involve enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.

Infosecurity Magazine has achieved out to Microsoft to inquire about a DFSCoerce-certain patch and will update this article with any additional opinions from the company.


Some parts of this post are sourced from:
www.infosecurity-magazine.com

Previous Post: «Cyber Security News Cloudflare Outage Knocks Hundreds of Websites Offline

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover
  • Cloudflare Outage Knocks Hundreds of Websites Offline
  • #InfosecurityEurope2022 Defense Looks to Bring Cyber Into the Mainstream
  • Delivery firm Yodel disrupted by cyber attack
  • Ransomware: Payment Decisions Finely Balanced
  • BRATA malware has evolved to target online banking across Europe, researchers warn
  • New ToddyCat Hacker Group on Experts’ Radar After Targeting MS Exchange Servers
  • Kazakh Govt. Used Spyware Against Protesters
  • Avira Free Security review: An effective antimalware suite, but heavy on the marketing
  • Researchers Disclose 56 Vulnerabilities Impacting OT Devices from 10 Vendors

Copyright © TheCyberSecurity.News, All Rights Reserved.