Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that takes advantage of MS-DFSNM (Microsoft’s Dispersed File System) to get more than Windows domains.
Dragovic unveiled the script on Twitter on Saturday, together with a link to a GitHub page detailing his findings.
For context, Microsoft Lively Directory Certification Services (ADCS) is a community essential infrastructure (PKI) assistance usually utilised to authenticate users, services and equipment on a offered Windows area.
The flaw learned by Dragovic can make it attainable to deploy NTLM relay attacks to pressure a domain controller to authenticate versus a malicious NTLM relay underneath an attacker’s manage.
The malicious server would subsequently relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), permitting them to impersonate any system on the network.
If menace actors would assume the identification of a domain controller, which generally has elevated privileges, they could then execute arbitrary instructions.
There are many approaches to drive a distant server to authenticate towards a destructive NTLM relay, and the vulnerability Dragovic uncovered is just one of them.
“Spooler provider disabled, RPC filters put in to reduce PetitPotam and File Server VSS Agent Service not set up but you nevertheless want to relay DC authentication to ADCS Don’t be concerned MS-DFSNM have your again ),” the security researcher wrote in his tweet.
The proof-of-principle script is reportedly based mostly on the PetitPotam exploit, but as a substitute of working with the MS-EFSRPC protocol, it depends on the MS-DFSNM, which lets the Windows DFS to be managed above an RPC interface.
Nevertheless, because the attacks are equivalent sufficient, subsequent Microsoft’s advisory for PetitPotam may mitigate the severity of the flaw uncovered by Dragovic.
In accordance to the document, doable mitigation approaches involve enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.
Infosecurity Magazine has achieved out to Microsoft to inquire about a DFSCoerce-certain patch and will update this article with any additional opinions from the company.
Some parts of this post are sourced from: