Security researcher Gilles Lionel released proof of concept code showing how a vulnerability in the Windows OS can allow an attacker to force remote machines to authenticate and share password hashes with that actor. While this vulnerability has, as of reporting, yet to see any utilization in the wild, the release of proof of concept means it is only a matter of time before threat actors capitalize on the vulnerability. As a result, Microsoft has released old and new advisories on the topic to mitigate the attack method. Notably, this attack cannot be used by itself from an outside source and must be used from inside the network as a post-infiltration technique.
What is the nature of the vulnerability?
Through abuse of the outmoded NTLM architecture as well as MS-EFSRPC (Encrypting file System Remote Protocol), it is possible to send an SMB request to a remote system’s EFSRPC interface, force an authentication procedure, and obtain the NTLM authentication hash for that device. This vulnerability can be further exploited for lateral movement, use in relay attacks, and to obtain domain controller access.
What’s at risk?
With the ability for a threat actor to achieve relatively simple escalation to domain controller access, this vulnerability presents a rather serious threat to any network that utilizes NTLM after achieving initial access.
Affected systems/versions
The vulnerability has been successfully tested against Windows 10, Server 2016, and Server 2019.
According to Microsoft, “You are potentially vulnerable to this attack if NTLM authentication is enabled in your domain and you are using Active Directory Certificate Services (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service”
What can I do to protect against this vulnerability?
While information is still pending regarding the abuse of EFSRPC, the official Microsoft recommendations are as follows. Please research the possible impacts of following their recommendations to disable NTLM before implementing. Legacy devices in the network may complicate disabling NTLM.
Preferred Mitigation: Microsoft recommends disabling NTLM authentication on the Windows domain controller as the simplest mitigation. This action can be accomplished by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.
Other Mitigations: If unable to disable NTLM on the domain for compatibility reasons, one of the following can be done. They are listed in order of more secure to less secure:
- Disable NTLM on any AD CS Servers in the domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
- To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
- Set, “Network security: Restrict NTLM: Incoming NTLM traffic,” to, “Deny All Accounts,” or, “Deny All domain accounts.”
- If needed, exceptions can be added as necessary using the setting, “Network security: Restrict NTLM: Add server exceptions in this domain.”
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the, “Certificate Authority Web Enrollment,” or, “Certificate Enrollment Web Service,” services.
- Detailed instructions on how to disable NTLM for IIS on AD CS Servers can be found on Microsoft’s website.
- However, if NTLM can’t be disabled outright, then Microsoft recommends enabling EPA on AD CS services.
Resources
Microsoft security advisory:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/974926
Microsoft’s support article:
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
The Record’s article on PetitPotam:
https://therecord.media/new-petitpotam-attack-forces-windows-hosts-to-share-their-password-hashes/
Security Affair’s article on PetitPotam:
https://securityaffairs.co/wordpress/120550/security/petitpotam-attack-mitigations.html
JL
