PETITPOTAM: NTLM Relay Attack
7/29/2021

A security flaw, named PetiPotam, in the Windows can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.

OVERVIEW

▪ French researcher security researcher Gilles Lionel discovered a flaw called PetitPotam in the Windows operating system that allowed a remote Windows machines to authenticate and share their NTLM authentication password hashes or authentication certificates.

▪ PetitPotam attack, a credential relay attack affects environments and relies on abusing system functions that are enabled if all of these conditions apply: o NTLM authentication is enabled in domain. o Active Directory Certificate Services (AD CS) is deployed. o Either Certificate Authority Web Enrollment or Certificate Enrollment Web Services are enabled.

▪ The PetitPotam attack PoC code published by the researcher, allowed an attacker to send SMB requests to a remote system’s MS-EFSRPC interface and force the victim computer to initiate an authentication procedure and share its authentication details.

▪ Attackers can then collect this data and abuse it as part of a NTLM relay attack to gain access to remote systems on the same internal network.

Sign Up Here for Download