PetitPotam NTLM Relay Attack
By Deepwatch,
Summary
A French security researcher, Gilles Lionel, discovered a new NTLM relay attack he has dubbed PetitPotam. Giles published a proof-of-concept (PoC) to his GitHub account on July 18th. Giles noted that the flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”
The attack “enables a domain controller (DC) to authenticate against a remote NTLM under a bad actor’s control using the MS-EFSRPC interface and share its authentication information. This is done by connecting to LSARPC, resulting in a scenario where the target server connects to an arbitrary server and performs NTLM authentication.”
Affected Versions
- Windows servers with NTLM enabled and using Active Directory Certificate Services (AD CS) with the following services:
- Certificate Authority Web Enrollment, or
- Certificate Enrollment Web Service
Impact
Successful exploitation gives an attacker an authentication certificate that can be used to access domain services as a DC and the potential to compromise the entire domain.
Workarounds
To mitigate this attack, Microsoft released KB5005413 on July 23rd. Microsoft states that the preferred mitigation measure is to “disable NTLM authentication on your Windows domain controller as the simplest mitigation. This can be accomplished by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.”
Microsoft also provided additional mitigations if you are unable to disable NTLM for compatibility reasons. They are listed in order of more secure to less secure:
- Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
To see implementation details for either of these workarounds, Deepwatch recommends referring to Microsoft’s guidance provided by KB5005413.
Supporting Information
- https://twitter.com/topotam77/status/1416833996923809793?s=20
- https://github.com/topotam/PetitPotam
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
- https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
- https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
Learn more about Deepwatch Managed Detection and Response here.