A French security researcher named “Gilles Lionel” has discovered a security issue on Windows OS using which an attacker can force the remote windows machines to authenticate and its NTLM password hashes.
The Security researcher has nicknamed this issue as “PetitPotam” and releases the POC code earlier this week on his Github page.
Additionally, Researcher explained that this issue exists due to the abuses on MS-EFSRPC protocol which enables the windows machines to process operations on the encrypted data stored on remote systems.
The POC code shared by the researchers works by sending the SMB requests to MS-EFSRPC interface of the remote system and force it to start the authentication procedure to spit out its NTLM authentication hash.
Researchers believe that its a very dangerous issue which could force the DC’s to spit out the hashes that can also lead to complete takeover of corporate’s internal network.
Hi all,— topotam (@topotam77) July 18, 2021
MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz.
Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!! 🙂https://t.co/AGiS4f6yt8
One of worrying thing about this attack is that despite of disabling the support for MS-EFSRPC on the target system, this attack does not fails.
As of now that this specific attack has been tested on Windows 10, Windows Server 2016 and Windows Server 2019, However, Security researchers believe that this attack might be possible throughout the available windows OS version available in the market. Unfortunately
“The problem with this type of attack is that it will take a considerable amount of time and considerations to develop appropriate countermeasures, These are design flaws that are more difficult to fix. It’s much easier to just patch a vulnerable font driver DLL or Internet Explorer library,” Florian Roth, told to the third party site The Record.
However, Microsoft plans to issue a rough patch for this vulnerability which can take some time.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1
One thought on “New Windows Attack “PetitPotam” Forces Windows Hosts To Share NTLM Hashes.”