Skip to content

Latest commit

 

History

History
67 lines (46 loc) · 6.19 KB

File metadata and controls

67 lines (46 loc) · 6.19 KB


This repository contains a list of many methods to coerce a windows machine to authenticate to an attacker-controlled machine.
GitHub repo size YouTube Channel Subscribers

All of these methods are callable by a standard user in the domain to force the machine account of the target Windows machine (usually a domain controller) to authenticate to an arbitrary target. The root cause of this "vulnerability/feature" in each of these methods is that Windows machines automatically authenticate to other machines when trying to access UNC paths (like \\192.168.2.1\SYSVOL\file.txt).

There are currently 15 working functions in 5 protocols.


Note

🎉 A lot of new methods are yet to be tested, if you want to try them: possible-working-calls This list will be triaged over time, eventhough I automated most of the work and autogenerated python proof of concept for each call, it takes time to test these 240+ RPC calls.


Protocols & Methods

Protecting against coerced authentications

Microsoft does not consider coerced authentications as security vulnerability. In their point of view, only the relaying of authentications issued from coerced authentication consitute a security vulnerability. To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. The mitigations against NTLM relays are outlined in these bulletins:

Contributing

Feel free to open a pull request to add new methods.