Microsoft Windows NTLM Attack

A new NT Lan Manager (NTLM) relay attack called PetitPotam allows hackers to take over a domain controller and from there, the entire domain.

At least at the moment, the report is that Microsoft is not going to fix this because it is not a bug, but rather an abuse of legitimate services. Stay tuned, if the PR is bad enough, they will do something.

Without going into ridiculous detail (see links below), an attacker can abuse Microsoft Active Directory Certificate services, which, apparently, is on by default to authenticate users.

Ultimately the attacker would be granted a Kerberos Ticket Granting Ticket, which would allow the attacker to assume the identity of any device on the network.

One attack uses Microsoft’s Print Spooler server in combination with an RPC call.

The mitigation for this attack is to turn off MS-RPRN to block the attack.

This new version, called PetitPotam, used Microsoft’s Encrypting File System Remote Protocol. A proof of concept attack has been released on GitHub.

Apparently, enabling protections such as SMB signing or LDAP signing or disabling NTLM authentication completely may block this particular attack.

There is no way to turn off the encrypting file system RPC call.

One researcher called the effects of the attack “BRUTAL” – complete takeover.

Credit: Bleeping Computer

Microsoft has released some mitigations, but only for domain controllers. Those include, as mentioned above, disabling NTLM or enabling Extended Protection for Authentication.

This is not a complete fix of the ability to abuse the Encrypting File System RPC call. That will likely require a patch.

Now that hackers have a roadmap, expect them to figure out new ways to abuse Windows networks.

Credit: Bleeping Computer

This looks like a nasty one; assume that hackers will start exploiting this soon.