PetitPotam Attack

26th July 2021, Kathmandu

PetitPotam, the latest NTLM relay attack has been explored that allows attackers to take over a website controller, and further, a whole Windows domain.

Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) server, are often wont to verify users, services, and machines on a Windows domain, are employed by many companies.

Back then, Analysts found a way to compel the internet site controller to certify against a malicious NTLM relay which may then forward the request to a domain’s Active Directory Certificate Services via HTTP. Ultimately, the attacker would be permitted a Kerberos ticket-granting ticket (TGT) that might allow them to assume the identity of any device on the network, including a website controller.

To force the machine for performing the authentication to an external server, an attacker could utilize the RpcRemoteFindFirstPrinterChangeNotification service of MS-RPRN printing API.
“Microsoft’s Print Spooler is a service handling the print jobs and other numerous tasks connected with printing. An attacker controlling a website user/computer can, with a selected RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker’s choosing,” a blog post on Hacker. Recipes explain.

“This flaw could be even be a “won’t fix” and allowed by default all Windows environments.”
If this attack is triumphant, the attacker could acquire the domain controller and perform any command they need, effectively taking over the Windows domain.
Since this attack was disclosed, many organizations have disabled MS-RPRN to dam the attack vector.

Introducing PetitPotam

French security analyst GILLES Lionel, aka Topotam, revealed a substitution technique called ‘PetitPotam’ that operates an NTLM relay attack that does not trust the MS-RPRN API rather employs the EfsRpcOpenFileRaw function of the MS-EFSRPC API.

MS-EFSRPC, which is a Microsoft’s Encrypting file system Remote Protocol is used to perform maintenance and management operations on encrypted data stored remotely and accessed over a network.” Lionel has publicized the proof-of-concept script for the PetitPotam technique on GitHub which is wont to force a website controller to authenticate against an external NTLM under an attacker’s control using the MS-EFSRPC API.

Lionel stated in the talk with BleepingComputer about the new relay attack method, where he noted that he doesn’t see this as a vulnerability but rather the abuse of a legitimate function. He continues,” In my view, this is probably not a vulnerability but a violation of a legitimate function. Role that is not bound to use the machine account to authenticate like within the printerbug for instance.”

Moreover, to the attack relaying SMB authentication to an HTTP certificate enrollment server allowing the full takeover of the domain controller, Lionel said it’d be used for other attacks.
NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are often during this example for example), are included in the additional attacks.

The researcher says the sole thanks to mitigating this system is to disable NTLM authentication or enable protections, like SMB signing, LDAP signing, and channel binding.
Regrettably, there is no way to disable the EfsRpcOpenFileRaw from getting used to relay authentication requests.
Lionel told us that even if EFS service is ceased, it doesn’t prevent the technique from being exploited.
BleepingComputer has contacted Microsoft about this new attack but has not heard back at this point.

PetitPotam is ‘brutal’

Security analysts are quick to test the PoC and its effectiveness, since the discharge of PetitPotam. “Finally finished testing it, it’s quite brutal! Web access to AD takeover… I truly underrated the effect of NTLM relay on PKI ESC8 the group with PetitPotam is amazing!” tweeted security researcher Remi Escourrou.
“Actually, no thanks to block PetitPotam (to my current knowledge) but you’ll harden the HTTP service of the PKI to avoid the NTLM relay,” Escourrou told BleepingComputer during a conversation last night.

Previous article5 Steps to Amending Ransomware Resiliency
Next articleHow Tractable Built an AI Unicorn in 6 Years?
Mina Aryal is a Nepali tech journalist and media expert. She is currently the chief editor of ICT Frame, a leading online tech media outlet in Nepal that covers topics such as technology, business, and entrepreneurship. Aryal has been involved in the field of tech journalism for over a decade and has covered various topics such as internet governance, cybersecurity, e-commerce, and startup ecosystems. She has also been involved in organizing and promoting tech events in Nepal to bring together tech enthusiasts, entrepreneurs, and investors to discuss and collaborate on various topics related to the tech industry. Aryal is considered one of the most influential tech journalists in Nepal and has been recognized for her contributions to the field.

LEAVE A REPLY

Please enter your comment!
Please enter your name here