PetitPotam Exploit needs Active Directory Certificate Services, specifically the default settings behind the Web Enrollment service because of this Vulnerability. Adversaries can achieve full Domain Admin (DC) takeover of a target Active Directory by using PetitPotam, which takes attention among Ransomware Gangs, they are able to use this Vulnerability to get DC server and make a Group Policy to spread their Ransomware all of the Internal Network.
The adversary can send requests to a Domain Controller using PetitPotam for NTLM relay credentials to a host chosen by the attacker. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and DC Server certificate can be enrolled. This certificate can then be used to request a Ticket Granting Ticket and compromise the entire domain through DCsync and Pass The Ticket.
AD CS (Active Directory Certificate Services) offers role services that by default accept NTLM-based authentication which it’s abused in this attack. These services specifically include Certificate Authority Web Enrollment and the Certificate Enrollment Web Service.
Attack Steps and Demonstrations
Use PetitPotam to trigger NTLM authentication from the Domain Controller to the Listener attacker machine this time it’s Kali Linux (Running Responder or ntlmrelayx)
Use ntlmrelayx to relay the DC’s credentials to the AD CS (Active Directory Certificate Services) server with default Web Enrollment enabled (NTLM authentication must be enabled and it’s enabled by default), using the “KerberosAuthentication” or “DomainControllers” AD CS template on settings of ntlmrelayx.
Obtain Base64 PKCS12 Certificate captured via NTLM relaying attack
Use the Base64 PKCS12 cert to import to Kekeo (manipulate Microsoft Kerberos) to ask for a TGT (Ticket Granting Ticket)
Use Mimikatz to perform DCsync and dump LSA secrets for the user of choice (Administrator, Krbtgt etc.)
Note down the NT hash from the domain administrator user we will use on Pass The Hash.
Use wmiexec to gain execution as that user against the Domain Controller and perform Pass The Hash attack
Congratulations if everything goes normal you got a Reverse Shell on Domain Administrator !!
This attack allows for instant Privilege Escalation from low privileged user to domain administrator. This is a critical security hole for companies and during our research on DarkNet adversaries begin to abuse this Vulnerability widely.
Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) – ADV210003 – KB5005413 – PetitPotam
Block Outbound Traffic From DC’s
Blocking connections by DC to arbitrary services and hosts is an effective mitigation. DC’s should only initiate connections to well-known destinations like other Domain Controllers or hosts that are classified to be necessary for such communication. If it’s implemented in the domain, outbound connections should be limited to tier 0 hosts and services.
Block [MS-ESFR] (EFSRPC) Using RPC Filters
Use RPC filters to block MS-EFSR by creating filter rules to block the known UUID’s for \pipe\lsarpc and \pipe\efsrpc using this command:
netsh.exe -f block_efsr.txt
For the full list of block_efsr.txt : https://gist.github.com/whichbuffer/8c16d0a394be36bf525aca85e4dd652bRemove the listed role services if not justified by a business need. In most cases, the affected services are replaceable by other API/interfaces such as the built-in RPC interfaces.
Restrict/disable inbound NTLM authentication to the server running the role service by setting the policy “Network security: Restrict NTLM: Incoming NTLM traffic”.
Disable/remove the NTLM provider in the Internet Information Services (IIS) running the selected role services.
Enabling Extended Protection for Authentication (EPA) And Require TLS on the selected role services.
Enable strict network access control to the selected service.
Always enable TLS for proper transport and session protection.