Critical Kerberos Relay Attack Exploits DNS CNAME to Bypass Security Measures
A significant vulnerability has been identified in Windows Kerberos authentication, exposing Active Directory environments to advanced credential relay attacks. This flaw leverages the handling of DNS CNAME (Canonical Name) records by Windows clients during Kerberos service ticket requests, enabling attackers to manipulate authentication processes and circumvent established security protocols.
Understanding the Attack Mechanism
The core of this vulnerability lies in the behavior of Windows clients when processing DNS CNAME records. Upon receiving a CNAME response, the client follows the alias and constructs a Ticket Granting Service (TGS) request using the CNAME’s hostname as the Service Principal Name (SPN). This process can be exploited by attackers who intercept DNS traffic, coercing systems into requesting service tickets for attacker-controlled services.
To execute this attack, an adversary must establish a man-in-the-middle (MITM) position within the network. Techniques such as ARP poisoning, DHCPv6 poisoning (MITM6), or similar methods can be employed to achieve this position. Once in place, the attacker can manipulate DNS responses to redirect legitimate service requests to malicious servers under their control.
Detailed Attack Flow
1. Initial Access: The attacker gains a foothold within the target network, positioning themselves to intercept DNS traffic.
2. DNS Manipulation: When a victim attempts to access a legitimate domain asset, the attacker responds with a DNS CNAME record pointing to an attacker-controlled hostname, accompanied by an A record resolving to the attacker’s IP address.
3. Service Ticket Request: The victim’s system, following the CNAME alias, requests a Kerberos service ticket for the attacker-controlled service.
4. Authentication Capture: The victim’s system authenticates against the attacker’s infrastructure using a ticket intended for the legitimate service, allowing the attacker to capture and potentially relay these credentials.
Potential Impacts
The exploitation of this vulnerability can lead to several severe consequences:
– Remote Code Execution (RCE): Attackers can achieve RCE via Active Directory Certificate Services (ADCS) Web Enrollment, specifically through the ESC8 vulnerability.
– Relay Attacks: The flaw facilitates cross-protocol relay attacks, such as HTTP to SMB or HTTP to LDAP, expanding the attack surface.
– Lateral Movement: Unauthorized access and movement within the network become feasible, compromising additional systems and data.
– Impersonation: Attackers can impersonate users without needing their passwords, undermining trust and security within the environment.
Testing has confirmed that this attack is effective on default configurations across various Windows versions, including Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025. Services such as SMB, HTTP, and LDAP are particularly vulnerable when signing or Channel Binding Tokens (CBT) are not enforced.
Microsoft’s Response and Mitigation Efforts
Upon responsible disclosure of the vulnerability in October 2025, Microsoft took steps to address the issue. In January 2026, they released security updates implementing CBT support for HTTP.sys, tracked as CVE-2026-20929. While this patch mitigates HTTP relay scenarios, the fundamental DNS CNAME coercion vector remains unaddressed, leaving other protocols susceptible to exploitation.
Proof of Concept and Tools
Researchers have developed and released a modified version of the MITM6 tool, now equipped with CNAME poisoning capabilities. This tool supports targeted CNAME poisoning against specific domains or all DNS queries and includes features such as DNS-only mode for ARP poisoning integration and passthrough for critical infrastructure connectivity. Exploitation requires Python 3.x and a Linux operating system.
Recommended Defensive Measures
To protect against this advanced attack vector, organizations are advised to implement a multi-layered defense strategy:
– SMB Security: Enforce SMB signing on all servers beyond domain controllers to prevent SMB relay and man-in-the-middle attacks.
– Directory Services: Require LDAP signing and enforce LDAPS Channel Binding Tokens (CBT) where supported to protect against LDAP relay and credential interception.
– Web Services: Mandate HTTPS with CBT for all internal HTTP services to mitigate NTLM relay attacks over HTTP.
– DNS Infrastructure: Harden DNS servers and consider implementing DNS over HTTPS (DoH) to reduce risks associated with DNS spoofing and traffic manipulation.
– Kerberos Monitoring: Monitor for anomalous TGS requests targeting unusual SPNs to detect potential Kerberos abuse or lateral movement.
– Threat Detection: Alert on cross-protocol authentication patterns to identify NTLM/Kerberos relay and protocol abuse attempts.
Conclusion
This research underscores a critical security reality: Kerberos, while robust, does not inherently prevent relay attacks. Effective protection requires explicit enforcement of anti-relay measures across all Kerberos-enabled services. Disabling NTLM alone is insufficient; organizations must adopt comprehensive strategies to eliminate relay risks effectively.
