New NTLM Relay Attack Allows Attackers to Take Control of Windows Domain
A new type of Windows NTLM relay attack dubbed DFSCoerce has been discovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to gain control of a domain.
“Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay [Domain Controller authentication to [Active Directory Certificate Services]? Don’t worry, MS-DFSNM has (sic) your back”, Filip Dragovic, security researcher said in a tweet.
MS-DFSNM provides a remote procedure call (RPC) interface for administering distributed file system configurations.
The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests to gain unauthorized access to network resources, effectively gaining a foothold in Active Directory environments.
DFSCoerce’s discovery follows a similar method called PetitPotam that abuses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows servers, including domain controllers, into authenticating with a relay. under the control of an attacker, allowing hackers to potentially take control of an entire domain.
“By relaying an NTLM authentication request from a domain controller to the CA web enrollment or certificate enrollment web service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller”, the CERT Coordination Center (CERT/CC) Noteddetailing the chain of attack.
To mitigate NTLM relay attacks, Microsoft recommends enabling protections such as Extended Authentication Protection (EPA), SMB signing, and disabling HTTP on AD CS servers.