Windows “PetitPotam” network attack – how to protect against it

Man data center technician performing server maintenance. Using mobile phone to troubleshooting

by Paul Ducklin

French researcher Gilles Lionel, who goes by @topotam77, recently published proof-of-concept code that attackers could use to take over a Windows network.

The hack, which he has dubbed PetitPotam (which is a nod to the endangered Pygmy Hippopotamus, as far as we can tell), involves what’s known as an NTLM relay attack, which is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system.

Microsoft has been advising everyone to avoid NTLM, short for NT LAN Manager, for more than a decade, because it doesn’t meet modern cryptographic security standards.

Way back in 2012, for example, password researcher Jeremi Gosney, who describes himself as “your friendly neighborhood password cracker”, described and built a standalone password cracking computer, using 25 graphics cards, that could brute-force all eight-character Windows passwords from their NTLM hashes in just six hours.

Unfortunately, NTLM authentication has proved hard to shake off altogether, with many network administrators keeping it alive because of legacy applications that can’t use the network without it.

Microsoft has added several NTLM mitigations over the years to try to close off various NTLM relay attack loopholes that remain.

This has steadily made it harder for attackers to trick Windows clients into talking to imposter authentication servers (the so-called “relays” in the attack) that could allow password hashes to be sniffed out, stolen and abused by attackers.

Ironically, one popular NTLM relay trick used in the past was to abuse the Microsoft Print System Remote Protocol (MS-RPRN) – what you could call a PrintNightmare of yesteryear.

As Lionel himself points out, however, “[using] MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins [in] most [organizations].”

His new proof-of-concept uses a similar attack (indeed, Lionel credits his code as “inspired by the previous work on MS-RPRN”), but abuses a different remote access protocol called MS-EFSRPC, short for Encrypting File System Remote Protocol. OTHERS STOP AT NOTIFICATION. WE TAKE ACTION Get 24/7 managed threat hunting, detection, and response delivered by Sophos experts Learn more

Annoyingly, according to Lionel, turning off the underlying Encrypting Filing System service doesn’t seem to help, so the obvious mitigation that worked for old-school MS-RPRN attacks (namely, turning off the service that supported the at-risk protocol) won’t work here.

According to Microsoft, the PetitPotam code relies on abusing system functions that are enabled if all of these conditions apply:

  • NTLM authentication is enabled in your domain.
  • You are using Active Directory Certificate Services (AD CS).
  • You are have either Certificate Authority Web Enrollment or Certificate Enrollment Web Service enabled.

What to do?

Obviously, the most robust defense is to stop using NTLM anywhere in your network.

If you genuinely don’t need it (and it’s been deprecated for more than a decade) you can turn it off on your domain controller to improve security for your whole network.

Retiring NTLM altogether means that you are no longer at risk of NTLM relay attacks of any sort, whether they’re caused by attackers try to abuse your printing services, the encrypting file system service, or any other remote access protocol.

If you can’t turn off NTLM authentication altogether, Microsoft has numerous other steps that you can take instead, but these deal specifically with the PetitPotam loophole rather than with getting rid of the outdated cryptography of NTLM itself.

The next-best mitigations involve turning off NTLM authentication on specific servers in your network, such as those running Active Directory Certificate Services.

The final mitigation involves turning on an IIS feature known as Extended Protection for Authentication (EPA), which is supposed to protect the above mentioned Certificate Authority Web Enrollment and Certificate Enrollment Web Service features from a relay attacks.

Prevent this from happening to your network.

Call us or email us today to see how we can help your network.

Make Our IT Department your IT Department!

original source: