Microsoft has released mitigations for a new attack method involving Windows NT LAN Manager (NTLM), which could be exploited to force remote Windows systems to reveal password hashes, giving an attacker full control of a domain server and other Windows servers.
Security researcher Gilles Lionel discovered it is possible to abuse legitimate functions using a new attack method dubbed ‘PetitPotam.’ A proof-of-concept (PoC) exploit was released by Lionel on July 22, 2021.
The attack involves abusing the Encrypting File System Remote Protocol (MS-EFSRPC), which was developed to allow Windows systems to access remote encrypted data stores for data management while enforcing access control policies. The attack involves using MS-EFSRPC in an NTLM relay attack to force a Windows server or domain controller to authenticate to a remote NTLM relay under the control of the attacker.
Lionel showed that it is possible to conduct a manipulator-in-the-middle attack on the Windows NT LAN Manager authentication system. An attacker could use the Server Message Block (SMB) to request access to the MS-EFSRPC interface of a remote system and force the targeted computer to initiate authentication and share authentication details via NTLM with a remote server under their control. That would allow the attacker to obtain certificates and hashed passwords, which can be easily cracked offline and used to perform operations on a remote server with the authenticated user’s level of privileges.
Microsoft said “PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.” The attack can be used on Windows Server 2008 through 2019.
Microsoft has published mitigations that can prevent the new technique from being used to attack Windows servers and domain controllers. Companies vulnerable to PetitPotam have NTLM authentication enabled on the domain and use Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.
Microsoft recommends disabling NTLM where it is not necessary, for instance on Domain Controllers, and to enable Extended Protection for Authentication (EPA) feature on AD CS servers to protect credentials, or to use signing features such as SMB signing.