The takeover of WINDOWS DOMAINS BY New PetitPotam Attack

PetitPotam Attack
Share It On:

26th July 2021, Kathmandu

PetitPotam, the latest NTLM relay attack has been explored that allows attackers to take over a website controller, and further, a whole Windows domain.

Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) server, are often wont to verify users, services, and machines on a Windows domain, are employed by many companies.

Back then, Analysts found a way to compel the internet site controller to certify against a malicious NTLM relay which may then forward the request to a domain’s Active Directory Certificate Services via HTTP. Ultimately, the attacker would be permitted a Kerberos ticket-granting ticket (TGT) that might allow them to assume the identity of any device on the network, including a website controller.

To force the machine for performing the authentication to an external server, an attacker could utilize the RpcRemoteFindFirstPrinterChangeNotification service of MS-RPRN printing API.
“Microsoft’s Print Spooler is a service handling the print jobs and other numerous tasks connected with printing. An attacker controlling a website user/computer can, with a selected RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker’s choosing,” a blog post on Hacker. Recipes explain.

“This flaw could be even be a “won’t fix” and allowed by default all Windows environments.”
If this attack is triumphant, the attacker could acquire the domain controller and perform any command they need, effectively taking over the Windows domain.
Since this attack was disclosed, many organizations have disabled MS-RPRN to dam the attack vector.

Introducing PetitPotam

French security analyst GILLES Lionel, aka Topotam, revealed a substitution technique called ‘PetitPotam’ that operates an NTLM relay attack that does not trust the MS-RPRN API rather employs the EfsRpcOpenFileRaw function of the MS-EFSRPC API.

MS-EFSRPC, which is a Microsoft’s Encrypting file system Remote Protocol is used to perform maintenance and management operations on encrypted data stored remotely and accessed over a network.” Lionel has publicized the proof-of-concept script for the PetitPotam technique on GitHub which is wont to force a website controller to authenticate against an external NTLM under an attacker’s control using the MS-EFSRPC API.

Lionel stated in the talk with BleepingComputer about the new relay attack method, where he noted that he doesn’t see this as a vulnerability but rather the abuse of a legitimate function. He continues,” In my view, this is probably not a vulnerability but a violation of a legitimate function. Role that is not bound to use the machine account to authenticate like within the printerbug for instance.”

Moreover, to the attack relaying SMB authentication to an HTTP certificate enrollment server allowing the full takeover of the domain controller, Lionel said it’d be used for other attacks.
NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are often during this example for example), are included in the additional attacks.

The researcher says the sole thanks to mitigating this system is to disable NTLM authentication or enable protections, like SMB signing, LDAP signing, and channel binding.
Regrettably, there is no way to disable the EfsRpcOpenFileRaw from getting used to relay authentication requests.
Lionel told us that even if EFS service is ceased, it doesn’t prevent the technique from being exploited.
BleepingComputer has contacted Microsoft about this new attack but has not heard back at this point.

PetitPotam is ‘brutal’

Security analysts are quick to test the PoC and its effectiveness, since the discharge of PetitPotam. “Finally finished testing it, it’s quite brutal! Web access to AD takeover… I truly underrated the effect of NTLM relay on PKI ESC8 the group with PetitPotam is amazing!” tweeted security researcher Remi Escourrou.
“Actually, no thanks to block PetitPotam (to my current knowledge) but you’ll harden the HTTP service of the PKI to avoid the NTLM relay,” Escourrou told BleepingComputer during a conversation last night.


Share It On:

Recent Posts

Sanima Bank Partners with NCHL to Enable Alipay+ for Tourists in Nepal

Sanima Bank Partners with NCHL to Enable Alipay+ for Tourists

Share It On:18th December 2024, Kathmandu Sanima Bank has signed with Nepal Clearing House Limited (NCHL) to facilitate convenient and

realme C63: 50MP Camera, 45W Fast Charge, and Ultra-Slim Design

realme C63: 50MP Camera, 45W Fast Charge, and Ultra-Slim Design

Share It On:18th December 2024, Kathmandu realme, the most trusted smartphone brand, has launched the realme C63 in a 4+64GB

Namaste Pay Flight Deals: Save Up to NPR 150 Cashback on Nepal Flight Bookings

Namaste Pay Flight Deals: Save Up to NPR 150 Cashback

Share It On:18th December 2024, Kathmandu Namaste Pay has launched a new campaign offering attractive cashback on flight tickets. This

OMODA E5: Top Safety Scores with 5-Star Ratings from NCAP & ANCAP

OMODA E5: Top Safety Scores with 5-Star Ratings from NCAP

Share It On:18th December 2024, Kathmandu OMODA E5, the latest battery electric vehicle (BEV) from OMODA & JAECOO, has earned

Ncell Honored as Highest Taxpayer by Lalitpur Metropolitan City

Ncell Honored as Highest Taxpayer by Lalitpur Metropolitan City

Share It On:18th December 2024, Kathmandu Ncell has been honored as the highest taxpayer. Lalitpur Metropolitan City (LMC) recognized Ncell

NMB Bank Promotes Digital Financial Literacy in Gandaki Province Nepal

NMB Bank Promotes Digital Financial Literacy in Gandaki Province Nepal

Share It On:18th December 2024, Kathmandu Digital Product Awareness for NMB QR Loan and Information on Tourism Lending Products. NMB