{"id":5969,"date":"2022-06-29T16:05:39","date_gmt":"2022-06-29T21:05:39","guid":{"rendered":"https:\/\/etek.com\/es\/?p=5969"},"modified":"2022-06-29T16:05:39","modified_gmt":"2022-06-29T21:05:39","slug":"nuevo-ataque-ntlm-relay","status":"publish","type":"post","link":"https:\/\/etek.com\/es\/nuevo-ataque-ntlm-relay\/","title":{"rendered":"Nuevo ataque NTLM Relay"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"5969\" class=\"elementor elementor-5969\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-10b8478c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"10b8478c\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-386e08e\" data-id=\"386e08e\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-52d83127 elementor-widget elementor-widget-text-editor\" data-id=\"52d83127\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.20.0 - 13-03-2024 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<!-- wp:paragraph -->\n<p><strong>Un nuevo ataque de retransmisi\u00f3n NTLM denominado DFSCoerce se aprovecha del Sistema de archivos distribuido (DFS) con el fin de tomar control de un dominio de windows.<\/strong><\/p>\n<!-- \/wp:paragraph -->\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2121dde elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2121dde\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6816c65\" data-id=\"6816c65\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1c4aeaa elementor-widget elementor-widget-text-editor\" data-id=\"1c4aeaa\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>El ataque de retrasnmisi\u00f3n NTLM es un m\u00e9todo que consiste en la explotaci\u00f3n del mecanismo desaf\u00edo-respuesta. Esto permite a un atacante posicionarse entre un cliente y un servidor e interceptar y transmitir solicitudes de autenticaci\u00f3n validadas y as\u00ed obtener acceso no autorizado a los recursos de una red o en el caso de DFSCoerce, potencialmente apoderarse de todo un dominio.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c7442a0 elementor-widget elementor-widget-image\" data-id=\"c7442a0\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.20.0 - 13-03-2024 *\/\n.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=\".svg\"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}<\/style>\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/etek.com\/es\/wp-content\/uploads\/2022\/06\/Nuevo-ataque-NTLM-Relay.jpg\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f9c784a elementor-widget elementor-widget-text-editor\" data-id=\"f9c784a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>El ataque denominado DFSCoerce se basa en el exploit PetitPotam el cu\u00e1l abusa del Sistema de cifrado de archivos de Microsoft, pero DNSCoerce, en lugar del MS- EFSRPC usa MS-DFSNM, un protocolo que permite administrar el Sistema de archivos distribuido de Windows (DFS) a trav\u00e9s de una interfaz RPC.<\/p>\n<p>Al transmitir una solicitud de autenticaci\u00f3n NTLM puede obtener un certificado que puede utilizar para generar un ticket de concesi\u00f3n de tickets TGT (token de autenticaci\u00f3n de usuario emitido por el Centro de distribuci\u00f3n de claves) del controlador de dominio. El ataque permite f\u00e1cilmente a un usuario con acceso limitado convertirse en administrador de dominio.<\/p>\n<p>\u00a0<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6616409 elementor-widget elementor-widget-image\" data-id=\"6616409\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/etek.com\/es\/wp-content\/uploads\/2022\/06\/Nuevo-ataque-NTLM-Relay-2.jpg\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6c81b12 elementor-widget elementor-widget-text-editor\" data-id=\"6c81b12\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h5>RECOMENDACIONES<\/h5>\n<p>Habilitar la protecci\u00f3n extendida para funciones de autenticaci\u00f3n (EPA) as\u00ed como la firma SMB para proteger las credenciales de Windows<\/p>\n<p>Desactivar HTTP en los servidores AD CS. Desactivar NTLM en los controladores de dominio<\/p>\n<h5>FUENTES<\/h5>\n<p><a href=\"https:\/\/support.microsoft.com\/en-gb\/topic\/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429\">https:\/\/support.microsoft.com\/en-gb\/topic\/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate- services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover\/\">https:\/\/www.bleepingcomputer.com\/news\/microsoft\/new-dfscoerce-ntlm-relay-attack-allows-windows-domain- takeover\/<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.co\/wordpress\/132473\/hacking\/dfscoerce-attacks-windows-domains.html\">https:\/\/securityaffairs.co\/wordpress\/132473\/hacking\/dfscoerce-attacks-windows-domains.html<\/a><\/p>\n<p><strong>Escrito por: Johan Cifuentes<\/strong><\/p>\n<p><strong>Cyber Security Engineer<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-157f867 elementor-widget elementor-widget-image\" data-id=\"157f867\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/etek.com\/es\/wp-content\/uploads\/2022\/05\/Imagen2.png\" title=\"\" alt=\"\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-00e59c1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"00e59c1\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-586cce6\" data-id=\"586cce6\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-70cb565 elementor-widget elementor-widget-text-editor\" data-id=\"70cb565\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><a href=\"mailto:Info@etek.com\">Info@etek.com<\/a>&nbsp; &nbsp; &nbsp;&nbsp;<strong style=\"letter-spacing: 0px;\">Colombia&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Per\u00fa&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<\/strong><span style=\"font-weight: 600; letter-spacing: 0px;\">India<\/span><\/p>\n<p>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;+57 (1) 2571520&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +51&nbsp;(1) 6124343&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span style=\"letter-spacing: 0px;\">+91-9873451221<\/span><\/p>\n<p><\/p>\n<p><br><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Un nuevo ataque de retransmisi\u00f3n NTLM denominado DFSCoerce se aprovecha del Sistema de archivos distribuido (DFS) con el fin de tomar control de un dominio de windows. El ataque de retrasnmisi\u00f3n NTLM es un m\u00e9todo que consiste en la explotaci\u00f3n del mecanismo desaf\u00edo-respuesta. Esto permite a un atacante posicionarse entre un cliente y un servidor [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5970,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/posts\/5969"}],"collection":[{"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/comments?post=5969"}],"version-history":[{"count":0,"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/posts\/5969\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/etek.com\/es\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/media?parent=5969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/categories?post=5969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/etek.com\/es\/wp-json\/wp\/v2\/tags?post=5969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}