---

This repository contains a list of many methods to coerce a windows machine to authenticate to an attacker-controlled machine.

All of these methods are callable by a standard user in the domain to force the machine account of the target Windows machine (usually a domain controller) to authenticate to an arbitrary target. The root cause of this "vulnerability/feature" in each of these methods is that Windows machines automatically authenticate to other machines when trying to access UNC paths (like \\192.168.2.1\SYSVOL\file.txt).

There is currently 15 known methods in 5 protocols.

---

Protocols & Methods

• [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol

  • Remote call to NetrDfsAddStdRoot (opnum 12)
  • Remote call to NetrDfsRemoveStdRoot (opnum 13)

• [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol

  • Remote call to EfsRpcOpenFileRaw (opnum 0)
  • Remote call to EfsRpcEncryptFileSrv (opnum 4)
  • Remote call to EfsRpcDecryptFileSrv (opnum 5)
  • Remote call to EfsRpcQueryUsersOnFile (opnum 6)
  • Remote call to EfsRpcQueryRecoveryAgents (opnum 7)
  • Remote call to EfsRpcFileKeyInfo (opnum 12)
  • Remote call to EfsRpcDuplicateEncryptionInfoFile (opnum 13)
  • Remote call to EfsRpcAddUsersToFileEx (opnum 15)

• [MS-FSRVP]: File Server Remote VSS Protocol

  • Remote call to IsPathSupported (opnum 8)
  • Remote call to IsPathShadowCopied (opnum 9)

• [MS-PAR]: Print System Asynchronous Remote Protocol

  • Remote call to RpcAsyncOpenPrinter (opnum 0)

• [MS-RPRN]: Print System Remote Protocol

  • Remote call to RpcOpenPrinter (opnum 1)
  • Remote call to RpcOpenPrinterEx (opnum 69)

Contributing

Feel free to open a pull request to add new methods.