26th July 2021, Kathmandu
PetitPotam, the latest NTLM relay attack has been explored that allows attackers to take over a website controller, and further, a whole Windows domain.
Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) server, are often wont to verify users, services, and machines on a Windows domain, are employed by many companies.
Back then, Analysts found a way to compel the internet site controller to certify against a malicious NTLM relay which may then forward the request to a domain’s Active Directory Certificate Services via HTTP. Ultimately, the attacker would be permitted a Kerberos ticket-granting ticket (TGT) that might allow them to assume the identity of any device on the network, including a website controller.
To force the machine for performing the authentication to an external server, an attacker could utilize the RpcRemoteFindFirstPrinterChangeNotification service of MS-RPRN printing API.
“Microsoft’s Print Spooler is a service handling the print jobs and other numerous tasks connected with printing. An attacker controlling a website user/computer can, with a selected RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker’s choosing,” a blog post on Hacker. Recipes explain.
“This flaw could be even be a “won’t fix” and allowed by default all Windows environments.”
If this attack is triumphant, the attacker could acquire the domain controller and perform any command they need, effectively taking over the Windows domain.
Since this attack was disclosed, many organizations have disabled MS-RPRN to dam the attack vector.
Introducing PetitPotam
French security analyst GILLES Lionel, aka Topotam, revealed a substitution technique called ‘PetitPotam’ that operates an NTLM relay attack that does not trust the MS-RPRN API rather employs the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC, which is a Microsoft’s Encrypting file system Remote Protocol is used to perform maintenance and management operations on encrypted data stored remotely and accessed over a network.” Lionel has publicized the proof-of-concept script for the PetitPotam technique on GitHub which is wont to force a website controller to authenticate against an external NTLM under an attacker’s control using the MS-EFSRPC API.
Lionel stated in the talk with BleepingComputer about the new relay attack method, where he noted that he doesn’t see this as a vulnerability but rather the abuse of a legitimate function. He continues,” In my view, this is probably not a vulnerability but a violation of a legitimate function. Role that is not bound to use the machine account to authenticate like within the printerbug for instance.”
Moreover, to the attack relaying SMB authentication to an HTTP certificate enrollment server allowing the full takeover of the domain controller, Lionel said it’d be used for other attacks.
NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are often during this example for example), are included in the additional attacks.
The researcher says the sole thanks to mitigating this system is to disable NTLM authentication or enable protections, like SMB signing, LDAP signing, and channel binding.
Regrettably, there is no way to disable the EfsRpcOpenFileRaw from getting used to relay authentication requests.
Lionel told us that even if EFS service is ceased, it doesn’t prevent the technique from being exploited.
BleepingComputer has contacted Microsoft about this new attack but has not heard back at this point.
PetitPotam is ‘brutal’
Security analysts are quick to test the PoC and its effectiveness, since the discharge of PetitPotam. “Finally finished testing it, it’s quite brutal! Web access to AD takeover… I truly underrated the effect of NTLM relay on PKI ESC8 the group with PetitPotam is amazing!” tweeted security researcher Remi Escourrou.
“Actually, no thanks to block PetitPotam (to my current knowledge) but you’ll harden the HTTP service of the PKI to avoid the NTLM relay,” Escourrou told BleepingComputer during a conversation last night.
