Skip to content

MITM and coerced auths

In Active Directory domains, attackers often rely on coerced authentications and MitM (man in the middle) techniques to operate lateral movement, especially when attempting authentication relaying attacks (e.g. NTLM relay) or when abusing Kerberos delegations.

These techniques enable attackers to redirect traffic or redirect/force targets authentications. Attackers will then be able, in certain cases, to capture credentials or relay authentications. I'm using "coerce" instead of "force" in this category's title since some technique can rely on a bit of social engineering to work.

There are many ways attackers can do MitM or redirect/force targets authentications, most of which can be combined for maximum impact (and minimum stealth).

This page is a work-in-progress

MITM TechniqueADIDNSLLMNRNBNSDHCPv6ARPDNSWPADPrinterBugPrivExchange
Can require waiting for replication/syncingx
Easy to start and stop attacksxxtakes ~5 minutes to revertrevert time depends on targets arp cache timeout (usually ~60 secxxxx
Exploitable when default settings are presentxxxxxxxxup to 2019
Impacts fully qualified name requestsxnot if wildcard ADIDNS record existsnot if wildcard ADIDNS record existsxx
Requires constant network traffic for spoofingxxxxxx
Requires domain credentialsxxrequires emails-capable account
Requires editing ADx
Requires privileged access to launch attack from a compromised systemxxx
Targets limited to the same network segment as the attackerxxxxxx
Disruptionlowlowlowlow to highlow to highlow to highlow to highnonenone