An advanced NTLM relay attack known as PetitPotam has been revealed that permits threat actors to take over a domain controller, and thus an entire Windows domain. Many companies use Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be utilized to authenticate users, services, and machines on a Windows domain.
In the prior, investigators discovered a way to force a domain controller to authenticate against a malicious NTML relay that would then forwarded the request to a domain’s Active Directory Certificate Services through HTTP. Fortunately, the threat actor would be permitted a Kerberos ticket-granting ticket (TGT) that would permit them to assume the identity of any device on that network, which also consists of a domain controller.
To force the system to execute the authentication to a remote server, an attacker could use a RpcRemoteFindFirstPrinterChangeNotification function of MS-RPRN printing API. “Microsoft’s Print Spooler is one of the service handling the print jobs and other different tasks related to printing. A threat actor controlling a domain user / computer can, with a specific RPC call, trigger the spooler service of a target executing it and make it authenticate to a target of the threat actor’s choice.”
“This bug is a ‘won’t fix’ and enable by default on all Windows environments.” If this attack is successful, then the attacker could take over the domain controller and execute any command they want, effectively taking over the Windows domain.
Since the attack was disclosed, many associations have disabled MS-RPRN to block the attack vector.
What is PetitPotam?
During this week, French security researcher GILLES Lionel, aka Topotam, revealed a new technique known as “PetitPotam” that executes an NTLM relay attack the does not rely on the MS-RPRN API but instead uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API. MS-EFSRPC is Microsoft’s Encrypting File System Remote Protocol that is used to execute “maintenance and management operations on encoded data that is preserved remotely and accessed over a network.”
Lionel has been released a PoC script for the PetitPotam tactic on GitHub that can be utilized to force a domain controller to authenticate against a remote NTLM under an attacker’s control using the MS-EFSRPC API.
Lionel also stated that he does not see this as a vulnerability but rather the abuse of the appropriate function in a conversation with our experts about the new relay attack. Moreover, to the attack relaying SMB authentication to an HTTP certificate enrollment server permitting full takeover of the domain controller, Lionel stated it might be useful for other attacks.
These additional attacks consist of “NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are sometimes in this situation for example).” The investigator says the only way to avoid this technique is to disable NTML authentications or enable protections, like SMB signing, LDAP signing, and channel binding. Security researchers and Mimikatz creator Benjamin Delpy, who tested the PetitPotam attack, also suggested some of the mitigations:
“So, to ‘Fix’, some of the options:”
- Remove Web Enroll (you don’t need it – use RPC)
- Disable or Remove Nego/NTLM, use Kerberos!
- Try Extended Protection for Authentication with SSL (because yes, the PKI WebServer does not have a certificate by default….)” – Benjamin Delpy
Unluckily, no way has been discovered to disable the EfsRpcOpenFileRaw from being used to relay authentication requests. Lionel told us that blocking the EFS services does not avoid the technique from being exploited. Microsoft has shared an advisory on PetitPotam and how to mitigate NTML relay attacks.
Is PetitPotam is Brutal?
Since the release of Petipotam, security investigators have been quick to test the proof-of-concept and its effectiveness. Finally, after the testing, it was found that it’s quite brutal! Network access to complete AD takeover…I underestimated the impact of the NTML relay on PKI ESC8 the combination with PetitPotam is amazing! – twitted by a security researcher.