DFSCoerce, a new Windows NTLM relay attack


Although being prone to vulnerabilities, and being replaced with Kerberos, NTLM (New Technology LAN Manager) refuses to die. Mainly because organizations are maintaining compatibility with legacy clients and servers.
And that is a good thing for hackers and security researchers like Infigo’s Filip Dragovic.

Filip has discovered a new way to take over Windows domains – dubbed DFSCoerce, the attack uses MS-DFSNM (Distributed File System: Namespace Management) protocol to seize control of a Windows domain. Hackers, and admins, certainly know of PetitPotam, which does a similar thing as DFSCoerce but over the MS-EFSRPC protocol.
DFSCoerce will enable the attacker to become a domain admin starting with just a user with limited access to a Windows domain. If you’re interested in a Proof-Of-Concept you can check it out on Filip’s GitHub.

Microsoft says since DFSCoerce “requires an already-authenticated user account and we recommend customers use best security practices, such as enabling multi-factor authentication and installing all available security updates as soon as possible.” There is also an official Microsoft writeup when PetitPotam first hit, and it should still be relevant.