Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains

July 26, 2021
PetitPotam NTLM Relay Attack

A newly uncovered safety flaw within the Home windows working system could be exploited to coerce distant Home windows servers, together with Area Controllers, to authenticate with a malicious vacation spot, thereby permitting an adversary to stage an NTLM relay attack and fully take over a Home windows area.

The difficulty, dubbed “PetitPotam,” was found by safety researcher Gilles Lionel, who shared technical particulars and proof-of-concept (PoC) code final week, noting that the flaw works by forcing “Home windows hosts to authenticate to different machines through MS-EFSRPC EfsRpcOpenFileRaw operate.”

MS-EFSRPC is Microsoft’s Encrypting File System Distant Protocol that is used to carry out “upkeep and administration operations on encrypted information that’s saved remotely and accessed over a community.”

Stack Overflow Teams

Particularly, the assault permits a site controller to authenticate in opposition to a distant NTLM below a foul actor’s management utilizing the MS-EFSRPC interface and share its authentication data. That is executed by connecting to LSARPC, leading to a state of affairs the place the goal server connects to an arbitrary server and performs NTLM authentication.

“An attacker can goal a Area Controller to ship its credentials by utilizing the MS-EFSRPC protocol after which relaying the DC NTLM credentials to the Energetic Listing Certificates Providers AD CS Internet Enrollment pages to enroll a DC certificates,” TRUESEC’s Hasain Alshakarti said. “It will successfully give the attacker an authentication certificates that can be utilized to entry area providers as a DC and compromise your entire area.

Whereas disabling assist for MS-EFSRPC does not cease the assault from functioning, Microsoft has since issued mitigations for the difficulty, whereas characterizing “PetitPotam” as a “classic NTLM relay attack,” which enable attackers with entry to a community to intercept reliable authentication site visitors between a consumer and a server and relay these validated authentication requests with a purpose to entry community providers.

Enterprise Password Management

“To stop NTLM Relay Assaults on networks with NTLM enabled, area directors should make sure that providers that allow NTLM authentication make use of protections equivalent to Prolonged Safety for Authentication (EPA) or signing options equivalent to SMB signing,” Microsoft famous. “PetitPotam takes benefit of servers the place the Energetic Listing Certificates Providers (AD CS) is just not configured with protections for NTLM Relay Assaults.”

To safeguard in opposition to this line of assault, the Home windows maker is recommending that clients disable NTLM authentication on the area controller. Within the occasion NTLM can’t be turned off for compatibility causes, the corporate is urging customers to take one of many two steps beneath –

  • Disable NTLM on any AD CS Servers in your area utilizing the group coverage Community safety: Limit NTLM: Incoming NTLM site visitors.
  • Disable NTLM for Web Info Providers (IIS) on AD CS Servers within the area operating the “Certificates Authority Internet Enrollment” or “Certificates Enrollment Internet Service” providers

PetitPotam marks the third main Home windows safety concern disclosed over the previous month after the PrintNightmare and SeriousSAM (aka HiveNightmare) vulnerabilities.

Posted in SecurityTags:
Write a comment