{"id":214324,"date":"2022-06-21T07:55:31","date_gmt":"2022-06-21T09:55:31","guid":{"rendered":"https:\/\/teknomers.com\/fr\/la-nouvelle-attaque-de-relais-ntlm-permet-aux-attaquants-de-prendre-le-controle-du-domaine-windows\/"},"modified":"2022-06-21T07:55:31","modified_gmt":"2022-06-21T09:55:31","slug":"la-nouvelle-attaque-de-relais-ntlm-permet-aux-attaquants-de-prendre-le-controle-du-domaine-windows","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/la-nouvelle-attaque-de-relais-ntlm-permet-aux-attaquants-de-prendre-le-controle-du-domaine-windows\/","title":{"rendered":"La nouvelle attaque de relais NTLM permet aux attaquants de prendre le contr\u00f4le du domaine Windows"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>Un nouveau type d&#8217;attaque de relais Windows NTLM appel\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/Wh04m1001\/DFSCoerce\" target=\"_blank\">DFSCoerce<\/a> a \u00e9t\u00e9 d\u00e9couvert qui exploite le syst\u00e8me de fichiers distribu\u00e9s (DFS)\u00a0: protocole de gestion d&#8217;espace de noms (MS-DFSNM) pour prendre le contr\u00f4le d&#8217;un domaine.<\/p>\n<p>&#8220;Service Spooler d\u00e9sactiv\u00e9, filtres RPC install\u00e9s pour emp\u00eacher PetitPotam et File Server VSS Agent Service non install\u00e9 mais vous souhaitez toujours relayer [Domain Controller authentication to [Active Directory Certificate Services]?  Ne vous inqui\u00e9tez pas, MS-DFSNM a (sic) votre dos &#8220;, Filip Dragovic, chercheur en s\u00e9curit\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/filip_dragovic\/status\/1538154721655103488\" target=\"_blank\">a dit<\/a> dans un tweet.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/backup-jira\" target=\"_blank\" title=\"DevOps backup\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEjaBbYTALewJvxPx8cnzv0FMFvygJ4ym5US2q-Uxw_N9KSMl8z0Z7pPOeXOEHgnJ9u00oLe7QZR55XMcwv60hQ_dIuT9MTSCTeu-C3cUe-RgpBF3_hTmoXh7ESgmtUaVloM9dS5jXLtkOLVeYSBrepZsVYuf3lxIAlCR4TsZhB-hFm_HGHwjkDsk9teXQ\/s1600\/Jira-ads.png\" width=\"300\" height=\"250\" \/><\/a><\/div>\n<p><a rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-dfsnm\/95a506a8-cae6-4c42-b19d-9c1ed1223979\" target=\"_blank\">MS-DFSNM<\/a> fournit une interface d&#8217;appel de proc\u00e9dure \u00e0 distance (RPC) pour l&#8217;administration des configurations de syst\u00e8me de fichiers distribu\u00e9s.<\/p>\n<p>L&#8217;attaque relais NTLM (NT Lan Manager) est une m\u00e9thode bien connue qui exploite le m\u00e9canisme de d\u00e9fi-r\u00e9ponse.  Il permet aux parties malveillantes de s&#8217;asseoir entre les clients et les serveurs et d&#8217;intercepter et de relayer les demandes d&#8217;authentification valid\u00e9es afin d&#8217;obtenir un acc\u00e8s non autoris\u00e9 aux ressources du r\u00e9seau, prenant effectivement pied dans les environnements Active Directory.<\/p>\n<p>La d\u00e9couverte de DFSCoerce suit une m\u00e9thode similaire appel\u00e9e PetitPotam qui <a rel=\"nofollow noopener\" href=\"https:\/\/www.rapid7.com\/blog\/post\/2021\/08\/03\/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs\/\" target=\"_blank\">les abus<\/a> Microsoft&#8217;s Encrypting File System Remote Protocol (MS-EFSRPC) pour contraindre les serveurs Windows, y compris les contr\u00f4leurs de domaine, \u00e0 s&#8217;authentifier aupr\u00e8s d&#8217;un relais sous le contr\u00f4le d&#8217;un attaquant, permettant aux pirates de prendre potentiellement le contr\u00f4le d&#8217;un domaine entier.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowdsec-tour-d\" target=\"_blank\" title=\"CyberSecurity\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/04\/1650021915_454_Haskers-Gang-donne-gratuitement-le-logiciel-malveillant-ZingoStealer-a-dautres.jpg\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>&#8220;En relayant une demande d&#8217;authentification NTLM d&#8217;un contr\u00f4leur de domaine vers l&#8217;inscription Web de l&#8217;autorit\u00e9 de certification ou le service Web d&#8217;inscription de certificat sur un syst\u00e8me AD CS, un attaquant peut obtenir un certificat qui peut \u00eatre utilis\u00e9 pour obtenir un Ticket Granting Ticket (TGT) du contr\u00f4leur de domaine \u00bb, le centre de coordination CERT (CERT\/CC) <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/wdormann\/status\/1538894243225391104\" target=\"_blank\">c&#8217;est not\u00e9<\/a>d\u00e9taillant le <a rel=\"nofollow noopener\" href=\"https:\/\/www.kb.cert.org\/vuls\/id\/405600\" target=\"_blank\">cha\u00eene d&#8217;attaque<\/a>.<\/p>\n<p>Pour att\u00e9nuer les attaques de relais NTLM, Microsoft <a rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/ADV210003\" target=\"_blank\">recommande<\/a> l&#8217;activation de protections telles que la protection \u00e9tendue de l&#8217;authentification (EPA), la signature SMB et la d\u00e9sactivation de HTTP sur les serveurs AD CS.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/06\/new-ntlm-relay-attack-lets-attackers.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Un nouveau type d&#8217;attaque de relais Windows NTLM appel\u00e9 DFSCoerce a \u00e9t\u00e9 d\u00e9couvert qui exploite le syst\u00e8me de fichiers distribu\u00e9s (DFS)\u00a0: protocole de gestion d&#8217;espace de noms (MS-DFSNM) pour prendre le contr\u00f4le d&#8217;un domaine. &#8220;Service Spooler d\u00e9sactiv\u00e9, filtres RPC install\u00e9s pour emp\u00eacher PetitPotam et File Server VSS Agent Service non install\u00e9 mais vous souhaitez toujours [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":214325,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[11865,1933,507,4168,3976,4158,4165,4161,9509,4157,4159,4171,4170,4167,4160,197,4163,4162,80875,9701,3086,2876,4172,4169,4166,4164,45020],"class_list":["post-214324","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-attaquants","tag-attaque","tag-aux","tag-comment-pirater","tag-controle","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-domaine","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-logiciel-malveillant-de-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelle","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-ntlm","tag-permet","tag-prendre","tag-relais","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-windows"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/214324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=214324"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/214324\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/214325"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=214324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=214324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=214324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}