Last week we had seen about the new Windows based attack named “PetitPotam” which makes the windows machines to cough up the NTLM hashes(Link) that can lead to complete compromise of the domain.
Researcher named “Gilles Lionel” explained that this issue exists due to the abuses on MS-EFSRPC protocol which enables the windows machines to process operations on the encrypted data stored on remote systems.
The POC code shared by researchers works by sending the SMB requests to MS-EFSRPC interface of the remote system and force it to start the authentication procedure to spit out its NTLM authentication hash.
Luckily, Microsoft has addressed this issue via its advisory dated July 23rd, 2021 which says “Microsoft is aware of PetitPotam which can potentially be used in an attack on Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example, see Microsoft Security Advisory 974926.
“To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.“
“PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413 instruct customers on how to protect their AD CS servers from such attacks.” reads the advisory.
Additionally Microsoft adds that that organization or entity is vulnerable if they had NTLM authentication enabled in their domain and using Active Directory Certificate Services with the services like Certificate Authority Web Enrollment & Certificate Enrollment Web Service.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1