Skip to content
Microsoft now releases mitigations for a Windows NT LAN Manager exploit that forces remote Windows systems to reveal password hashes that can be easily cracked.
Microsoft was quick to respond with a fix to an attack dubbed “Petit Potam” that could force remote Windows systems to reveal password hashes that could then be easily cracked. To stop an attack, Microsoft recommends system administrators stop using the now deprecated Windows NT LAN Manager (NTLM).
Exploit Code
Security researcher Gilles Lionel first identified the bug on Thurs. & also published proof-of-concept (PoC) exploit code to demonstrate the attack. The following day, Microsoft issued an advisory that included workaround mitigations to protect systems.
The Petit Potam bug is tied to the Windows operating system & the abuse of a remote access protocol called Encrypting File System Remote Protocol (MS-EFSRPC).
Remote Encrypted
The protocol is designed to allow Windows systems to access remote encrypted data stores, allowing for management of the data while enforcing access control policies.
The Petit Potam PoC is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. Next, an attacker uses the file-sharing protocol Server Message Block (SMB) to request access to a remote system’s MS-EFSRPC interface. According to Lionel, this forces the targeted computer to initiate an authentication procedure & share its authentication details via NTLM.
NTLM: Persona Non Grata Protocol
Because the NTLM protocol is an insufficient authentication protocol that’s nonetheless used to relay authentication details, hashed passwords can be scooped up by an attacker & later cracked offline with minimal effort. NTLM has a long list of criticisms that date back to 2010, when even then it was seen as an insufficient authentication protocol.
“NTLM is susceptible to relay attacks, which allows actors to capture an authentication & relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges,” wrote researchers at Preempt in a 2019 report.
Scenario
According to Lionel, this similar scenario can be played out with a Petit Potam attack. He demonstrated how a Petit Potam attack can be chained to an exploit targeting Windows Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality.
Researchers at Truesec break it down further in a blog post published Sun.
“An attacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol & then relaying the DC domain controller NTLM credentials to the Active Directory Certificate Services AD CS Web Enrolment pages to enrol a DC certificate. … This will effectively give the attacker an authentication certificate that can be used to access domain services as a DC & compromise the entire domain.”
Petit Potam Mitigation
In response to the public availability of the PoC, Microsoft was quick to respond, outlining several mitigation options. For starters, Microsoft recommends disabling NTLM authentication on Windows domain controllers. It also suggests enabling the Extended Protection for Authentication (EPA) feature on AD CS services.
“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” wrote Microsoft.
Active Directory
“Petit Potam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413 instruct customers on how to protect their AD CS servers from such attacks.”
Microsoft also added that companies are vulnerable to a Petit Potam attack if NTLM authentication is enabled in their domains and/or they’re using AD CS with the services “Certificate Authority Web Enrolment” & “Certificate Enrolment Web Service.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
