Skip to content

A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols.

Notifications You must be signed in to change notification settings

p0dalirius/windows-coerced-authentication-methods

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 

Repository files navigation


This repository contains a list of many methods to coerce a windows machine to authenticate to an attacker-controlled machine.
GitHub repo size YouTube Channel Subscribers

All of these methods are callable by a standard user in the domain to force the machine account of the target Windows machine (usually a domain controller) to authenticate to an arbitrary target. The root cause of this "vulnerability/feature" in each of these methods is that Windows machines automatically authenticate to other machines when trying to access UNC paths (like \\192.168.2.1\SYSVOL\file.txt).

There are currently 15 working functions in 5 protocols.


Note

🎉 A lot of new methods are yet to be tested, if you want to try them: possible-working-calls This list will be triaged over time, eventhough I automated most of the work and autogenerated python proof of concept for each call, it takes time to test these 240+ RPC calls.


Protocols & Methods

Protecting against coerced authentications

Microsoft does not consider coerced authentications as security vulnerability. In their point of view, only the relaying of authentications issued from coerced authentication consitute a security vulnerability. To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. The mitigations against NTLM relays are outlined in these bulletins:

Contributing

Feel free to open a pull request to add new methods.

About

A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Languages