Skip to main content

PetitPotam NTLM relay attack technique

PetitPotam is an NTLM relay attack that could be used against a Windows server, forcing it to share credentials and then relaying these to generate an authentication certificate. An attacker could use this technique against a domain controller to gain full control over a domain.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

PetitPotam is an NTLM relay attack that could be used against a Windows server, forcing it to share credentials and then relaying these to generate an authentication certificate. An attacker could use this technique against a domain controller to gain full control over a domain.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Security researchers have discovered a New Technology LAN Manager (NTLM) relay attack technique, named PetitPotam, which could force a server, including domain controllers (DC), to authenticate against a remote NTLM server under an attacker's control. PetitPotam uses a legitimate function of Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API to force a target server to initiate NTLM authentication. The NTLM credentials are then relayed to Active Directory Certificate Services (ADCS) to generate a signed certificate with the NTLM credentials of the target.

A remote attacker could use the PetitPotam technique to assume the identity and privileges of the targeted device. If a domain controller is targeted, this could result in a full domain compromise.


Technique details

PetitPotam works by misusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API, a legitimate service ordinarily used to perform maintenance and management operations on encrypted data that is stored remotely and accessed over a network. An attacker can request access to a remote system’s MS-EFSRPC interface over Local Security Authority Remote Procedure Call (LSARPC) on port 445. This forces the targeted system to initiate authentication, sharing its credentials via NTLM. If the attacker connects via the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e, they will not need to authenticate.

If this stage of the attack is successful, the attacker could then force Windows Active Directory Certificate Services (AD CS) to enrol an authentication certificate by relaying the captured NTLM credentials to the AD CS Web Enrollment pages. This results in the attacker obtaining a signed certificate and thereby gaining the identity and permissions of the device which was originally targeted. If the target was a DC, the attacker has an authentication certificate that can be used to access domain services as a DC and compromise the entire domain.


Remediation advice

Affected organisations are encouraged to review Microsoft's CVE-2021-36942 update guide and apply the relevant updates.

Organisations unable to apply the updates should review Microsoft's Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) advisory and consider applying the partial mitigations detailed within it. A summary of Microsoft's guidance is given below:

  • Review NTLM relay attack mitigations options in Microsoft Security Advisory 974926
  • Review methods in KB5005413 to protect AD CS servers that are not configured with protections for NTLM relay attacks
  • For networks with NTLM enabled, domain administrators must ensure that protections against NTLM relay attacks are in place such Extended Protection for Authentication (EPA) or signing features such as SMB signing
  • Organisations are vulnerable to PetitPotam attack if NTLM authentication is enabled in their domain and they are using Active Directory Certificate Services (AD CS) with any of the following services:
    • Certificate Authority Web Enrollment
    • Certificate Enrollment Web Service

The above partial mitigations could have widespread and disruptive impacts on your operations and environment. If you do apply any of these, you should only do so after careful consideration and after consulting your organisation's risk owners.



Last edited: 11 August 2021 1:12 pm