A new NTLM relay attack dubbed PetitPotam allows attackers to take over a domain controller and an entire Windows domain.
This week, Topotam, which is a nickname of a French security researcher GILLES Lionel, released a new hacking technique called PetitPotam, which allows NTLM relay attacks without requiring the use of the MS-RPRN API but involves abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC is Microsoft’s protocol that enables remote management of encrypted data stored on a network and accessed remotely.
The technique is a proof-of-concept that shows how an attacker can force a domain to authenticate with a remote NTLM using the MS-EFSRPC API. It used SMB authentication to an HTTP server that could allow full control over the domain controller.
Lionel uploaded the PetitPotam PoC on GitHub. He stated that he does not see the relay attack method as a vulnerability but rather as an abuse of a legitimate function.
“In my eyes, this is not a vulnerability but an abuse of a legitimate function. Function that shouldn’t use the machine account to authenticate like in the printerbug for example,” Lionel shared with BleepingComputer.
Lionel said that besides allowing full take over of the domain controller, this attack could be used for other attacks as well. These additional attacks involve “NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (SCCM, exchange server, are often in this situation for example).”
Since the release of PetitPotam, security researchers have confirmed its effectiveness.
The only solution to this vulnerability is to disable NTLM authentication. Also admins can mitigate this vulnerability by enabling certain protections, such as SMB signing and LDAP signing.
Unfortunately, there is no way to disable the EFSSRpcOpenFileRaw function from being used to relay authenticated requests.
“Actually, no way to block PetitPotam (to my current knowledge) but you can harden the HTTP service of the PKI to avoid the NTLM relay,” Escourrou told BleepingComputer.