A new DFSCoerce
Windows NTLM relay attack has been observed using the Distributed File
System of Microsoft (MS-DFSNM). The purpose behind this attack is to
completely take over a Windows domain.
DFSCoerce: A NTLM
relay attack
- A researcher
released a proof-of-concept script for a new NTLM relay
attack named DFSCoerce. This attack uses the MS-DFSNM protocol to relay
authentication against an arbitrary server.
- The DFSCoerce script
is based on the PetitPotam exploit and uses MS-DFSNM instead of
MS-EFSRPC. MS-DFSNM allows the management of Windows DFS.
How does the attack
work?
For this attack,
researchers abused the Microsoft Active Directory Certificate Services,
a public key infrastructure service used to authenticate services,
users, and devices on a Windows domain.
- This service is
exposed to NTLM
relay attacks,
which is when attackers force a domain controller to authenticate
against a malicious NTLM relay.
- This malicious
server then relays or forwards the authentication request to a domain's
Active Directory Certificate Services through HTTP and grants a
Kerberos ticket-granting ticket.
- This ticket allows
the attackers to assume the identity of any device on the network,
including a domain controller. Subsequently, they elevate privileges to
take over the domain and run any command.
Conclusion
Microsoft has patched
some of these protocols to stop the unauthenticated takeovers, though
attackers still bypass them. The best way to stop such attacks is to
follow the guidelines suggested in the advisory released by Microsoft.
Further, it is suggested to use Windows built-in RPC Filters or RPC
firewall to protect the servers from such attacks.