Critical Kerberos Relay Attack Exploits DNS CNAME to Bypass Security Measures
A significant vulnerability has been identified in Windows Kerberos authentication, expanding the potential for credential relay attacks within Active Directory environments. This flaw exploits the handling of DNS CNAME (Canonical Name) records by Windows clients during Kerberos service ticket requests, allowing attackers to manipulate systems into requesting tickets for services under their control, effectively circumventing established security protocols.
Understanding the Attack Mechanism
The core of this vulnerability lies in the behavior of Windows clients when processing DNS CNAME records. Upon receiving a CNAME response, the client follows the alias and constructs the Ticket Granting Service (TGS) request using the CNAME hostname as the Service Principal Name (SPN). An attacker with the capability to intercept DNS traffic can exploit this by coercing victims into requesting service tickets for attacker-specified targets.
To execute this attack, the adversary must establish a position to perform a man-in-the-middle (MITM) attack on DNS traffic. This can be achieved through techniques such as ARP poisoning, DHCPv6 poisoning (utilizing tools like MITM6), or similar methods. When a victim attempts to access a legitimate domain resource, the malicious DNS server responds with a CNAME record that points to an attacker-controlled hostname, accompanied by an A record resolving to the attacker’s IP address. Consequently, the victim’s system authenticates against the attacker’s infrastructure using a ticket intended for the attacker’s target service.
Potential Impacts of the Attack
The ramifications of this attack are extensive and include:
– Remote Code Execution (RCE): Exploitation via Active Directory Certificate Services (ADCS) Web Enrollment (ESC8).
– Relay Attacks: Cross-protocol relays, such as HTTP to SMB or HTTP to LDAP.
– Lateral Movement: Unauthorized access and propagation within the network.
– Impersonation: Ability to impersonate users without needing their passwords.
Testing has confirmed that this exploitation is effective on default configurations across various Windows versions, including Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025. The attack is successful against unprotected services like SMB, HTTP, and LDAP, particularly when signing or Channel Binding Tokens (CBT) are not enforced. This vulnerability was responsibly disclosed to Microsoft in October 2025.
Microsoft’s Response and Mitigation Efforts
In response to this vulnerability, Microsoft has implemented CBT support for HTTP.sys and released patches across supported Windows Server versions in the January 2026 security updates, identified as CVE-2026-20929. However, this mitigation specifically addresses HTTP relay scenarios. The fundamental issue of DNS CNAME coercion remains unaddressed, leaving other protocols susceptible to similar attacks.
Proof of Concept and Tools
Researchers have released a modified version of the MITM6 tool on GitHub, now equipped with CNAME poisoning capabilities. This tool supports targeted CNAME poisoning against specific domains or all DNS queries and includes a DNS-only mode for integration with ARP poisoning. It also enables passthrough for critical infrastructure connectivity. Exploitation requires Python 3.x and a Linux operating system.
Recommended Defensive Measures
To mitigate the risks associated with this vulnerability, organizations are advised to implement a multi-layered defense strategy:
– SMB Security: Enforce SMB signing on all servers beyond domain controllers to prevent SMB relay and man-in-the-middle attacks.
– Directory Services: Require LDAP signing and enforce LDAPS Channel Binding Tokens (CBT) where supported to protect against LDAP relay and credential interception.
– Web Services: Mandate HTTPS with CBT for all internal HTTP services to mitigate NTLM relay attacks over HTTP.
– DNS Infrastructure: Harden DNS servers and consider implementing DNS over HTTPS (DoH) to reduce risks associated with DNS spoofing and traffic manipulation.
– Kerberos Monitoring: Monitor for anomalous TGS requests targeting unusual SPNs to detect potential Kerberos abuse or lateral movement.
– Threat Detection: Set up alerts for cross-protocol authentication patterns to identify NTLM/Kerberos relay and protocol abuse attempts.
This research underscores a critical security reality: Kerberos itself does not inherently prevent relay attacks. The enforcement of protection measures lies at the service level. Disabling NTLM alone is insufficient; organizations must explicitly enforce anti-relay protections across every Kerberos-enabled service to effectively eliminate relay risks.
