A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain.
Many organizations utilize Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be used to authenticate users, services, and machines on a Windows domain.
In the past, researchers discovered a method to force a domain controller to authenticate against a malicious NTLM relay that would then forward the request to a domain's Active Directory Certificate Services via HTTP.
Ultimately, the attacker would be granted a Kerberos ticket granting ticket (TGT) that would allow them to assume the identity of any device on the network, including a domain controller.
To force the machine to perform the authentication to a remote server, an attacker could use the RpcRemoteFindFirstPrinterChangeNotification function of MS-RPRN printing API.
"Microsoft’s Print Spooler is a service handling the print jobs and other various taks related to printing. An attacker controlling a domain user/computer can, with a specific RPC call, trigger the spooler service of a target running it and make it authenticate to a target of the attacker's choosing," a blog post on Hacker.recipes explains.
"This flaw is a "won't fix" and enabled by default on all Windows environments."
If this attack is successful, the attacker could take over the domain controller and perform any command they wish, effectively taking over the Windows domain.
Since this attack was disclosed, many organizations have disabled MS-RPRN to block the attack vector.
Introducing PetitPotam
This week, French security researcher GILLES Lionel, aka Topotam, disclosed a new technique called 'PetitPotam' that performs an NTLM relay attack that does not rely on the MS-RPRN API but instead uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC is Microsoft's Encrypting File System Remote Protocol that is used to perform "maintenance and management operations on encrypted data that is stored remotely and accessed over a network."
Hi all,
— topotam (@topotam77) July 18, 2021
MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz.
Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!! :)https://t.co/AGiS4f6yt8
Lionel has released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM under an attacker's control using the MS-EFSRPC API.
In a conversation with BleepingComputer about the new relay attack method, Lionel stated that he does not see this as a vulnerability but rather the abuse of a legitimate function.
"In my eyes, this is not a vulnerability but an abuse of a legitimate function. Function that shouldn't use the machine account to authenticate like in the printerbug for example," Lionel shared with BleepingComputer.
In addition to the attack relaying SMB authentication to an HTTP certificate enrollment server allowing full take over of the domain controller, Lionel said it could be used for other attacks.
These additional attacks include "NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are often in this situation for example).
The researcher says the only way to mitigate this technique is to disable NTLM authentication or enable protections, such as SMB signing, LDAP signing, and channel binding.
Security researcher and Mimikatz creator Benjamin Delpy, who tested the PetitPotam attack, also suggested the following mitigations:
"So, to "fix", some options:
- Remove Web Enroll (you really don't need it - use RPC)
- Remove or Disable Nego/NTLM, use Kerberos !
- Try Extended Protection for Authentication with SSL (because yes, the PKI WebServer does not have a certificat by default...)" - Benjamin Delpy
Unfortunately, no way has been found to disable the EfsRpcOpenFileRaw from being used to relay authentication requests.
Lionel told us that stopping the EFS service does not prevent the technique from being exploited.
Microsoft has shared an advisory on PetitPotam and how to mitigate NTML relay attacks.
PetitPotam is 'brutal'
Since the release of PetitPotam, security researchers have been quick to test the PoC and its effectiveness.
"Finally finished testing it, it's quite brutal! Network access to full AD takeover... I really underestimated the impact of NTLM relay on PKI ESC8 The combo with PetitPotam is awesome!," tweeted security researcher Rémi Escourrou.
"Actually, no way to block PetitPotam (to my current knowledge) but you can harden the HTTP service of the PKI to avoid the NTLM relay," Escourrou told BleepingComputer in a conversation last night.
Delpy also shared the following video demonstrating how threat actors can abuse the PetitPotam attack.
Update 7/24/21 10:00 AM EST: Added further mitigations from Benjamin Delpy.
Update 7/24/21 16:15 EST: Added link to Microsoft's security advisory for PetitPotam attack.
Comments
Zurv - 3 years ago
ugh :(
Would having a read-only DC help with this? I'm going to guess no.
I'm trying to thing of "world on fire" scenario where one might option to shut down all DCs.. maybe keeping a read-only up could keep companies hopping along.
lgkwang - 3 years ago
So... what is the IT community actually supposed to do about this right now? Shouldn't this have gone through coordinated vulnerability disclosure with Microsoft first, instead of dropping this on Twitter laughingly calling it "awesome" and that we should "just have fun" playing around with a new exploit?
Pardon me if I'm wrong but these infosec people seem intellectually brilliant but practically immature children with no regard for the (IT) community as a whole, just looking at this as a fun quest to conquer devices with no real-world impact. The tux in the profile picture suggests to me they have taken a side they love Linux and despise Windows and don't really care about the impact this causes their users.
The article mentions it's "won't fix"... If indeed this is the case this should prompt a movement in the social media circles that Microsoft needs to address this for the safety and security of their customers, and the tons of people it surely indirectly affects. Otherwise, I wish they had reported it to Microsoft first, then they could have tweeted after Patch Tuesday.
woody188 - 3 years ago
"won't fix" usually means it was reported and Microsoft didn't deem it important enough to fix or it's part of an unsupported solution. NTLMv2 is from NT 4.0 and has been considered obsolete for a long time.