burberryfly / windows-coerced-authentication-methods

This repository contains a list of many methods to coerce a windows machine to authenticate to an attacker-controlled machine.

All of these methods are callable by a standard user in the domain to force the machine account of the target Windows machine (usually a domain controller) to authenticate to an arbitrary target. The root cause of this "vulnerability/feature" in each of these methods is that Windows machines automatically authenticate to other machines when trying to access UNC paths (like \\192.168.2.1\SYSVOL\file.txt).

There is currently 15 known methods in 5 protocols.

🎉 A lot of new methods are yet to be tested, if you want to try them: possible-working-calls This list will be triaged over time, eventhough I automated most of the work and autogenerated python proof of concept for each call, it takes time to triage these 240+ RPC calls. I can't release more before my talk at BlackHat Europe if the CFP is accepted, but there is way more incomming. 👀

• [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol

  • Remote call to NetrDfsAddStdRoot (opnum 12)
  • Remote call to NetrDfsRemoveStdRoot (opnum 13)

• [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol

  • Remote call to EfsRpcOpenFileRaw (opnum 0)
  • Remote call to EfsRpcEncryptFileSrv (opnum 4)
  • Remote call to EfsRpcDecryptFileSrv (opnum 5)
  • Remote call to EfsRpcQueryUsersOnFile (opnum 6)
  • Remote call to EfsRpcQueryRecoveryAgents (opnum 7)
  • Remote call to EfsRpcFileKeyInfo (opnum 12)
  • Remote call to EfsRpcDuplicateEncryptionInfoFile (opnum 13)
  • Remote call to EfsRpcAddUsersToFileEx (opnum 15)

• [MS-FSRVP]: File Server Remote VSS Protocol

  • Remote call to IsPathSupported (opnum 8)
  • Remote call to IsPathShadowCopied (opnum 9)

• [MS-PAR]: Print System Asynchronous Remote Protocol

  • Remote call to RpcAsyncOpenPrinter (opnum 0)

• [MS-RPRN]: Print System Remote Protocol

  • Remote call to RpcRemoteFindFirstPrinterChangeNotificationEx (opnum 65)

Microsoft does not consider coerced authentications as security vulnerability. In their point of view, only the relaying of authentications issued from coerced authentication consitute a security vulnerability. To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. The mitigations against NTLM relays are outlined in these bulletins:

• July 24, 2021 KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
• December 08, 2009 MSA974926: Credential Relaying Attacks on Integrated Windows Authentication
• August 12, 2009 Extended Protection for Authentication
• August 11, 2009 MSA973811: Extended Protection for Authentication

Feel free to open a pull request to add new methods.