Free Access
Blog

PetitPotam (MS-EFSRPC) Exploit – CVE2021-36942

This image is about the PetitPotam (MS-EFSRPC) exploit.

PetitPotam (MS-EFSRPC) Exploit – Summary

PetitPotam Exploit needs Active Directory Certificate Services, specifically the default settings behind the Web Enrollment service because of this Vulnerability. Adversaries can achieve full Domain Admin (DC) takeover of a target Active Directory by using PetitPotam, which takes attention among Ransomware Gangs, they are able to use this Vulnerability to get DC server and make a Group Policy to spread their Ransomware all of the Internal Network.

The adversary can send requests to a Domain Controller using PetitPotam for NTLM relay credentials to a host chosen by the attacker. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and DC Server certificate can be enrolled. This certificate can then be used to request a Ticket Granting Ticket and compromise the entire domain through DCsync and Pass The Ticket.

AD CS (Active Directory Certificate Services) offers role services that by default accept NTLM-based authentication which it’s abused in this attack. These services specifically include Certificate Authority Web Enrollment and the Certificate Enrollment Web Service.

Attack Steps and Demonstrations

  1. Use PetitPotam to trigger NTLM authentication from the Domain Controller to the Listener attacker machine this time it’s Kali Linux (Running Responder or ntlmrelayx)
  2. Use ntlmrelayx to relay the DC’s credentials to the AD CS (Active Directory Certificate Services) server with default Web Enrollment enabled (NTLM authentication must be enabled and it’s enabled by default), using the “KerberosAuthentication” or “DomainControllers” AD CS template on settings of ntlmrelayx.
  3. Obtain Base64 PKCS12 Certificate captured via NTLM relaying attack
  4. Use the Base64 PKCS12 cert to import to Kekeo (manipulate Microsoft Kerberos) to ask for a TGT (Ticket Granting Ticket)
  5. Use Mimikatz to perform DCsync and dump LSA secrets for the user of choice (Administrator, Krbtgt etc.)
  6. Note down the NT hash from the domain administrator user we will use on Pass The Hash.
  7. Use wmiexec to gain execution as that user against the Domain Controller and perform Pass The Hash attack
  8. Congratulations if everything goes normal you got a Reverse Shell on Domain Administrator !!

PoC Video

https://www.youtube.com/embed/HHdVp_EkuwU?feature=oembed

Attack Flowchart

Conclusion

This attack allows for instant Privilege Escalation from low privileged user to domain administrator. This is a critical security hole for companies and during our research on DarkNet adversaries begin to abuse this Vulnerability widely.

Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) – ADV210003 – KB5005413 – PetitPotam

Block Outbound Traffic From DC’s

Blocking connections by DC to arbitrary services and hosts is an effective mitigation. DC’s should only initiate connections to well-known destinations like other Domain Controllers or hosts that are classified to be necessary for such communication. If it’s implemented in the domain, outbound connections should be limited to tier 0 hosts and services.

Block [MS-ESFR] (EFSRPC) Using RPC Filters

Use RPC filters to block MS-EFSR by creating filter rules to block the known UUID’s for \pipe\lsarpc and \pipe\efsrpc using this command:

netsh.exe -f block_efsr.txt

For the full list of block_efsr.txt : https://gist.github.com/whichbuffer/8c16d0a394be36bf525aca85e4dd652b

Remove the listed role services if not justified by a business need. In most cases, the affected services are replaceable by other API/interfaces such as the built-in RPC interfaces.

Restrict/disable inbound NTLM authentication to the server running the role service by setting the policy “Network security: Restrict NTLM: Incoming NTLM traffic”.

Disable/remove the NTLM provider in the Internet Information Services (IIS) running the selected role services.

Enabling Extended Protection for Authentication (EPA) And Require TLS on the selected role services.

  • Enable strict network access control to the selected service.
  • Always enable TLS for proper transport and session protection.

Microsoft has released ADV210003 and KB5005413 in response to the published POC.

Links & Further Research

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
This image is about Russian influence operations targeting the Paris Olympics 2024.
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts
Stay informed with the latest updates, expert insights, and in-depth analysis from ThreatMon’s cybersecurity intelligence. Subscribe to receive critical news, threat reports, and industry trends directly in your inbox, helping you stay ahead of emerging cyber threats.

Platform

Subscriptions

Solutions

Resources

Partner

Company

© 2024 ThreatMon. All rights reserved.
X-twitter Linkedin-in Github