The takeover of WINDOWS DOMAINS BY New PetitPotam Attack

PetitPotam Attack
Share It On:

26th July 2021, Kathmandu

PetitPotam, the latest NTLM relay attack has been explored that allows attackers to take over a website controller, and further, a whole Windows domain.

Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) server, are often wont to verify users, services, and machines on a Windows domain, are employed by many companies.

Back then, Analysts found a way to compel the internet site controller to certify against a malicious NTLM relay which may then forward the request to a domain’s Active Directory Certificate Services via HTTP. Ultimately, the attacker would be permitted a Kerberos ticket-granting ticket (TGT) that might allow them to assume the identity of any device on the network, including a website controller.

To force the machine for performing the authentication to an external server, an attacker could utilize the RpcRemoteFindFirstPrinterChangeNotification service of MS-RPRN printing API.
“Microsoft’s Print Spooler is a service handling the print jobs and other numerous tasks connected with printing. An attacker controlling a website user/computer can, with a selected RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker’s choosing,” a blog post on Hacker. Recipes explain.

“This flaw could be even be a “won’t fix” and allowed by default all Windows environments.”
If this attack is triumphant, the attacker could acquire the domain controller and perform any command they need, effectively taking over the Windows domain.
Since this attack was disclosed, many organizations have disabled MS-RPRN to dam the attack vector.

Introducing PetitPotam

French security analyst GILLES Lionel, aka Topotam, revealed a substitution technique called ‘PetitPotam’ that operates an NTLM relay attack that does not trust the MS-RPRN API rather employs the EfsRpcOpenFileRaw function of the MS-EFSRPC API.

MS-EFSRPC, which is a Microsoft’s Encrypting file system Remote Protocol is used to perform maintenance and management operations on encrypted data stored remotely and accessed over a network.” Lionel has publicized the proof-of-concept script for the PetitPotam technique on GitHub which is wont to force a website controller to authenticate against an external NTLM under an attacker’s control using the MS-EFSRPC API.

Lionel stated in the talk with BleepingComputer about the new relay attack method, where he noted that he doesn’t see this as a vulnerability but rather the abuse of a legitimate function. He continues,” In my view, this is probably not a vulnerability but a violation of a legitimate function. Role that is not bound to use the machine account to authenticate like within the printerbug for instance.”

Moreover, to the attack relaying SMB authentication to an HTTP certificate enrollment server allowing the full takeover of the domain controller, Lionel said it’d be used for other attacks.
NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are often during this example for example), are included in the additional attacks.

The researcher says the sole thanks to mitigating this system is to disable NTLM authentication or enable protections, like SMB signing, LDAP signing, and channel binding.
Regrettably, there is no way to disable the EfsRpcOpenFileRaw from getting used to relay authentication requests.
Lionel told us that even if EFS service is ceased, it doesn’t prevent the technique from being exploited.
BleepingComputer has contacted Microsoft about this new attack but has not heard back at this point.

PetitPotam is ‘brutal’

Security analysts are quick to test the PoC and its effectiveness, since the discharge of PetitPotam. “Finally finished testing it, it’s quite brutal! Web access to AD takeover… I truly underrated the effect of NTLM relay on PKI ESC8 the group with PetitPotam is amazing!” tweeted security researcher Remi Escourrou.
“Actually, no thanks to block PetitPotam (to my current knowledge) but you’ll harden the HTTP service of the PKI to avoid the NTLM relay,” Escourrou told BleepingComputer during a conversation last night.


Share It On:

Recent Posts

Lumbini Lions Jersey Unveiled: A Tribute to Buddhist Heritage

Lumbini Lions Jersey Unveiled: A Tribute to Buddhist Heritage

Share It On:17th November 2024, Kathmandu The Lumbini Lions Club has unveiled their jersey for the upcoming Nepal Premier League

Barbadian Fast Bowler Ramon Simmonds Joins Lumbini Lions for NPL 2024

Barbadian Fast Bowler Ramon Simmonds Joins Lumbini Lions for NPL

Share It On:17th November 2024, Kathmandu Lumbini Lions have added firepower to their bowling attack for the upcoming Nepal Premier

Xiaomi Unveils New High-Capacity Fast-Charging Power Banks in Nepal

Xiaomi Unveils New High-Capacity Fast-Charging Power Banks in Nepal

Share It On:17th November 2024, Kathmandu Xiaomi, a global leader in consumer electronics and smart manufacturing, has unveiled three new

.NET Conf 2024 AspnetCommunity Kathmandu Nepal Successfully Concludes With 130+ Attendees

.NET Conf 2024 AspnetCommunity Kathmandu Nepal Successfully Concludes With 130+

Share It On:17th November 2024, Kathmandu The ASP.NET Community has successfully hosted “.NET Conf 2024 AspnetCommunity Kathmandu Nepal” at Kantipur

Gen AI in Focus 2024: November Breakthroughs, Industry Stats & Election Impact

Gen AI in Focus 2024: November Breakthroughs, Industry Stats &

Share It On:17th November 2024, Kathmandu Generative AI is revolutionizing industries, with the market expected to surge from $40 billion

Shocking T-Mobile Breach: Chinese Hackers Have Access to Your Private Data

Shocking T-Mobile Breach: Chinese Hackers Have Access to Your Private

Share It On:17th November 2024, Kathmandu T-Mobile’s network has been targeted in a major Chinese cyber-espionage campaign that has infiltrated