New NTLM relay attack allows attackers to hijack Windows domains


“Print Manager is disabled, RPC filters are ready to prevent PetitPotam, shadow copy service is disabled, but do you still want to use Active Directory Domain Services authentication for a domain controller? Don’t worry, MS-DFSNM will have your back”, – wrote On Twitter, IB specialist Philip Dragovich, who published a PoC script called “DFSCoerce“ to attack an NTLM repeater. The script uses the Microsoft Distributed File System protocol to relay authentication data to an arbitrary server, which may allow attackers to take control of the victim’s Windows domain.

The discovery of DFSCoerce followed a similar attack called PetitPotam . which allowed attackers to take control of the Windows domain.

“By transmitting an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or Certificate Enrollment Web Service in the Active Directory Certificate Services (AD CS) system, an attacker can obtain a certificate, which is then used to obtain a Ticket Granting Ticket (TGT) from a domain controller”, – noted in the CERT Coordination Center (CERT/CC) in its detailed analysis of DFSCoerce.

Experts interviewed by BleepingComputer confirmed that DFSCoerce allows an attacker with a low level of access to become a Windows domain administrator. According to experts, the best ways to protect against DFSCoerce are:

  • Using Extended Protection for Authentication (EPA);

  • Using the SMB signature;

  • Disabling HTTP on AD CS servers;

  • Disabling NTLM on domain controllers.

Start a discussion …