Hackers Exploiting DNS Poisoning to Compromise Active Directory Environments

A groundbreaking technique for Kerberos relaying over HTTP, leveraging multicast poisoning, has been recently detailed by cybersecurity researchers.

Introduced by James Forshaw and further developed using the Responder and krbrelayx tools, this approach exploits local name resolution protocols like LLMNR (Link-Local Multicast Name Resolution) to achieve pre-authenticated Kerberos relay attacks.

This method provides a fresh attack path in hardened Active Directory environments where NTLM relays are largely mitigated.

This new vector targets a key weakness in how certain HTTP clients derive Service Principal Names (SPNs) during Kerberos authentication.

Unlike established methods like Kerberos relaying over DNS or SMB, this multicast-based technique introduces a novel dimension for unauthorized privilege escalation in enterprise networks.

Exploiting LLMNR for HTTP Kerberos Relays

The core of this attack leverages the behavior of HTTP clients such as browsers and WebDAV clients which construct SPNs for Kerberos authentication based on DNS responses.

By manipulating LLMNR responses, attackers can redirect client authentication requests to malicious servers, effectively relaying authentication attempts to target systems.

The attack proceeds as follows: An attacker sets up an LLMNR poisoner, such as Responder, on the local multicast range.

When a victim HTTP client fails to resolve a hostname, the attacker responds with a spoofed LLMNR response, tricking the client into requesting a Service Ticket (ST) for a target service (e.g., an HTTP server).

The client’s AP-REQ (Authentication Protocol Request) is captured and relayed by the attacker using tools like krbrelayx, potentially leading to privilege escalation or certificate acquisition.

Researchers successfully implemented this attack using Responder to modify LLMNR answer names and krbrelayx for relaying authentication attempts.

For instance, during a demonstration, an attacker leveraged this method to gain unauthorized access to an Active Directory Certificate Services (ADCS) Web Enrollment endpoint.

While innovative, this attack has notable limitations.

It requires the victim and attacker to reside within the same multicast range and relies on LLMNR being enabled within the network.

Protocols like mDNS or NBT-NS cannot be similarly exploited due to their inability to align query and response information effectively.

Defensive measures to prevent such attacks are straightforward.

Enterprises should disable LLMNR and other unnecessary local name resolution protocols across their environments.

Additionally, enforcing mutual authentication and integrity protections for Kerberos-enabled services, particularly HTTP endpoints, can significantly mitigate such threats.

For HTTP services, enabling TLS and Extended Protection for Authentication (EPA) is strongly recommended.

Implications for Active Directory Security

This new method demonstrates how traditional attack surfaces, such as local name resolution poisoning, can be repurposed with modern offensive tools to exploit Kerberos authentication mechanisms.

By combining old techniques with advanced relaying strategies, attackers can potentially gain initial footholds in a domain or escalate privileges.

Organizations must remain vigilant and adopt proactive security configurations to address emerging threat vectors like Kerberos relaying over HTTP.

As demonstrated, even hardened Active Directory environments can be compromised if legacy protocols and improper configurations persist.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free