Listen to this Post
Introduction:
A newly disclosed attack vector, CVE-2026-20929, fundamentally rewrites the rules of Kerberos relay attacks within Active Directory environments. By abusing the standard DNS CNAME record, attackers can stealthily redirect Kerberos authentication traffic to a machine they control, bypassing legacy defenses like disabling LLMNR or securing WPAD. This technique exposes a critical vulnerability in the trust relationship between Kerberos and DNS, making even “hardened” networks susceptible to credential theft and domain compromise.
Learning Objectives:
- Understand the mechanics of Kerberos CNAME relay abuse and how it extends the classic MITM6 attack.
- Learn to set up a lab environment to safely replicate the attack using publicly available Proof-of-Concept (PoC) tools.
- Implement effective detection strategies and security controls to mitigate this novel threat in production environments.
1. The Core Vulnerability: Kerberos Trusts DNS Blindly
The attack exploits a fundamental design assumption: the Kerberos authentication protocol implicitly trusts DNS resolution. When a client (like a user’s workstation) needs to talk to a service (like a file server), it requests a Service Ticket. It first asks DNS for the hostname of that service. If an attacker can poison DNS or control a record, they can use a CNAME to redirect the client to a host they own. The Kerberos protocol, following the DNS redirect, will then send the Service Ticket—which is encrypted with the service’s password hash—directly to the attacker’s machine. This bypasses the need for complex on-the-wire interception (like classic MITM6).
Step-by-step guide explaining what this does and how to use it:
1. Attacker Setup: The attacker compromises a machine joined to the target domain or gains the ability to create DNS records (e.g., through DNS adminship, zone replication abuse, or DHCP-based registration poisoning).
2. DNS Poisoning: The attacker creates or modifies a DNS CNAME record for a legitimate service (e.g., sqlserver.prod.corp.com). This record points to a hostname controlled by the attacker (e.g., evilhost.attacker.corp.com).
3. Client Request: A domain user or system attempts to access the legitimate service (sqlserver.prod.corp.com).
4. Silent Redirect: The client’s DNS lookup follows the CNAME to evilhost.attacker.corp.com. The Kerberos Key Distribution Center (KDC) issues a ticket for sqlserver.prod.corp.com, but the client sends it to the IP address resolved for evilhost.attacker.corp.com.
5. Credential Capture: The attacker’s machine receives the Service Ticket. They can now relay this ticket to the actual target service (like Active Directory Certificate Services – AD CS) or attempt to crack it offline to obtain the service account’s password hash.
2. Weaponizing the Attack: From PoC to Exploit
The public PoC tool, “MITM6-Kerberos-CNAME-Abuse,” automates this attack chain. It combines a rogue DNS server with a relay component, typically targeting AD CS’s web enrollment service to request a certificate for the relayed user identity.
Step-by-step guide explaining what this does and how to use it:
1. Lab Prerequisites: Set up a controlled Active Directory lab with at least one Domain Controller, a victim client, and a server with AD CS installed. The attacker machine can be a Linux or Windows system.
2. Tool Configuration: Clone the PoC repository (`https://github.com/BenZamir/MITM6-Kerberos-CNAME-Abuse`). Study the configuration file to set the target domain, the service SPN to impersonate, and the IP of your AD CS target.
3. Execute the Attack: Run the tool’s main module. It will:
Spoof DNS responses for the target service, injecting the CNAME record.
Wait for a client to request a ticket for that service.
Receive the Kerberos ticket and instantly relay it to the AD CS web endpoint.
If successful, obtain a valid domain certificate for the victim user.
4. Escalate Privileges: With a user’s certificate, an attacker can use tools like `Rubeus` or `Certify` to perform Kerberos authentication, potentially leading to Ticket Granting Ticket (TGT) retrieval and full domain compromise.
3. Building Your Detection Strategy
Traditional Kerberos relay monitoring often focuses on encryption type downgrades or strange IP addresses. This attack requires a more nuanced approach, focusing on DNS and Kerberos event correlation.
Step-by-step guide explaining what this does and how to use it:
1. Monitor DNS Query/Response Cycles: Centralize DNS debug logs. Alert on CNAME records that resolve to hostnames outside their expected subnets or to hostnames with atypical naming patterns. A query for `hr-db.corp.com` returning a CNAME to `temp-vm.attacker.corp.com` is a major red flag.
2. Correlate Kerberos TGS Requests with DNS: Use your SIEM to join Windows Security Event ID 4769 (A Kerberos service ticket was requested) with DNS query logs from the same client seconds before. Flag instances where the `ServiceName` in the 4769 event does not match the original hostname queried in DNS.
3. Look for RC4 Encryption Abuse: While not exclusive to this attack, relaying to AD CS often forces the use of the older, weaker RC4 (Kerberos etype 23) encryption. Generate high-fidelity alerts for Service Ticket requests (Event 4769) where `TicketEncryptionType` is `0x17` (RC4) and the `ServiceName` is for a high-value service (e.g., ca, sql, exchange).
4. Hardening DNS to Break the Attack Chain
Since DNS is the linchpin, securing it is the most effective mitigation.
Step-by-step guide explaining what this does and how to use it:
1. Implement DNSSEC for Internal Zones: DNSSEC signs DNS records, preventing the injection of fraudulent CNAME records. On a Windows DNS Server, you can configure DNSSEC for an Active Directory-integrated zone through the DNS Manager GUI or PowerShell:
Check zone status Get-DnsServerZone -Name "corp.com" | Select-Object ZoneName, IsSigned Sign a zone (simplified example) Add-DnsServerSigningKey -ZoneName "corp.com" -CryptoAlgorithm RsaSha256 -KeyLength 2048
2. Restrict Dynamic DNS Updates: Configure DNS zones to allow only secure dynamic updates. This prevents unauthorized machines from registering names. Set zone properties to “Secure only” in DNS Manager or via:
Set-DnsServerPrimaryZone -Name "corp.com" -DynamicUpdate Secure
3. Enable DNS Audit Logging and Alerting: Turn on detailed debug logging on your DNS servers. Regularly audit permissions on DNS records and zones, alerting on any changes made by non-administrative users or service accounts.
- Mitigating the Relay Target: Securing Active Directory CS
Reducing the attack surface of high-value relay targets like AD CS is critical.
Step-by-step guide explaining what this does and how to use it:
1. Disable NTLM & RC4 on Web Enrollment: On your AD CS server, modify the Internet Information Services (IIS) configuration for the Certificate Authority Web Enrollment site. Disable NTLM and RC4 cipher suites, forcing the use of stronger Kerberos encryption types that are not relayable in this context.
2. Enforce HTTPS and EPA: Ensure the AD CS web enrollment endpoint is only accessible via HTTPS. Implement Extended Protection for Authentication (EPA) in IIS, which binds the Channel Binding Token (CBT) to the service’s SSL certificate, effectively breaking relay attempts.
3. Migrate to a Modern PKI Architecture: Consider moving away from web-based enrollment to automated certificate deployment via group policy or modern protocols like SCEP (with secure configuration). This removes the interactive, relay-vulnerable web component from the equation.
6. Advanced Guardrails: Kerberos Armoring and Device Authentication
For environments requiring the highest security, consider deploying advanced Kerberos features available in modern Windows Server environments.
Step-by-step guide explaining what this does and how to use it:
1. Enable Kerberos Armoring (FAST): Configure Group Policy to support Kerberos armoring (Flexible Authentication Secure Tunneling). This creates an armored channel between the client and the KDC, protecting pre-authentication data. This is configured under Computer Configuration\Policies\Administrative Templates\System\Kerberos.
2. Explore `authnolicies` and `KCD` with Device Claims: Utilize Kerberos Authentication Policies (authnolicies) to restrict which devices a user can authenticate from. Coupled with Key Distribution Center (KDC) support for device claims, you can create policies that, for example, only allow a service ticket for `sqlserver` to be issued if the requesting user is logging on from a properly hybrid-joined and compliant device.
3. Monitor for Policy Violations: The Windows Security Event Log will record events (like 4769 with sub-status codes) when a ticket request violates an authnolicy. These should be configured as immediate, high-severity alerts in your SIEM.
What Undercode Say:
- The Perimeter is Now Identity-Centric: This attack proves that network-level hardening is insufficient. The new perimeter is the complex interaction between core identity protocols like Kerberos and supporting services like DNS. Security teams must shift their focus to monitoring and securing these trust chains.
- Assumed Mitigations Create False Confidence: Organizations that patched MITM6 and disabled legacy protocols likely considered themselves safe from Kerberos relay. This research is a stark reminder that attackers evolve by finding gaps in correlated defenses, not just individual protocols. A secure DNS configuration is now a non-negotiable requirement for AD security, not just a network best practice.
Prediction:
The CVE-2026-20929 exploit will rapidly become a staple in the toolkit of advanced threat actors targeting corporate networks. Its low noise and high success rate against “hardened” environments make it ideal for initial compromise and lateral movement. We predict a surge in incidents combining this technique with AD CS abuse for ransomware deployment. Within the next 12-18 months, this will force a major industry-wide shift: DNS security monitoring will become as critical as endpoint detection for identity-centric defense, and the default configuration guidance for Active Directory will be rewritten to mandate DNSSEC and strict Kerberos delegation controls.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Dmitriy Galasli – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
