Pierluigi Paganini July 26, 2021

Microsoft published mitigations for the recently discovered PetitPotam attack that allows attackers to force remote Windows machines to share their password hashes.

Microsoft has released mitigations for the recently discovered PetitPotam NTLM attack that could allow attackers to take over a domain controller.

A few days ago, security researcher Gilles Lionel (aka Topotam) has discovered a vulnerability in the Windows operating system that allows an attacker to force remote Windows machines to authenticate and share their password hashes with him.

The attack abuses the Encrypting File System Remote (EFSRPC) protocol, which is used to perform maintenance and management operations on encrypted data that is stored remotely and accessed over a network.

The PetitPotam technique can potentially impact most of the supported Windows versions, it was successfully tested against Windows 10, Windows Server 2016, and Windows Server 2019 systems.

Lionel also published a proof-of-concept (PoC) exploit code on GitHub.

In the PetitPotam attack demonstrated by the expert, he sent SMB requests to a remote system’s MS-EFSRPC interface and forced its system to initiate an authentication procedure and share its NTLM authentication hash.

The NTLM authentication hash can be used to carry out a relay attack or can be lately cracked to obtain the victim’s password. The PetitPotam attack can be very dangerous because it allows attackers to take over a domain controller and compromise the entire organization.

After the disclosure of the PetitPotam attack technique, Microsoft published a security advisory that includes mitigations for this technique.

The company pointed out that PetitPotam is a classic NTLM Relay Attack, a category of attack that has been deeply documented by the IT giant. Microsoft states that domain administrators must protect services that permit NTLM authentication in order to prevent NTLM Relay Attacks on networks with NTLM enabled.

“Microsoft is aware of PetitPotam which can potentially be used in an attack on Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example, see Microsoft Security Advisory 974926.” reads the advisory.

“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413 instruct customers on how to protect their AD CS servers from such attacks.”

Organizations that have NTLM authentication enabled in their domain and that are using Active Directory Certificate Services (AD CS) with any of the following services:

• Certificate Authority Web Enrollment
• Certificate Enrollment Web Service

are most exposed.

Microsoft recommends urges to disable NTLM if it is not necessary or to enable the Extended Protection for Authentication mechanism to protect credentials on Windows machines.

Experts criticized the mitigations shared by Microsoft because it doesn’t explicitly address the abuse of the EFSRPC protocol.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]