What is PetitPotam Attack? How to overcome PetitPotam attack
Recently, French security researcher Gilles Lionel, aka Topotam, has revealed a new attack technique called PetitPotam. This is an NTLM forwarding attack that does not depend on the MS-RPRN API, but uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC is Microsoft's Remote System File Encryption Protocol, commonly used to perform maintenance operations and manage encrypted data that is stored remotely and accessed over the network.
According to Lionel, this is not a vulnerability but an abuse of a legitimate feature of the system. PetitPotam not only allows hackers to control the entire Windows domain but also leads to other attacks, Lionel shared.
Soon after Lionel published his research on GitHub, many other security experts embarked on testing. Security researcher Remi Escourrou confirmed that PetitPotam can be used to control the entire Active Directory. In addition, he added that there is practically no way to block PetitPotam.
PetitPotam affects Windows Server 2008 to 2019. According to Microsoft, there is no indication that the PetitPotam attack technique was used by hackers.
Microsoft shares how to fix PetitPotam
In a statement just released, Microsoft acknowledged that organizations can be attacked by PetitPotam. Currently, Microsoft has not yet released a patch, but it advises organizations to take the following measures to minimize the damage caused by PetitPotam:
- Disable NTLM where it is not needed (eg Domain Controller)
- Enable Extended Protection for Authentication to protect login information on Windows computers
However, PetitPotam attacks by abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass authentication requests, opening the door to other attacks. Microsoft's advice only prevents NTLM forwarding attacks without addressing MS-EFSRPC API abuse. Maybe Microsoft needs to roll out an update to fix this issue.
Security expert Benjamin Delpy said that the mitigation measures that Microsoft offered were not satisfactory. The EFSRPC protocol is not even mentioned.
You should read it
- What is Domain Hijacking? How dangerous is it?
- What is 51% attack? How does 51% attack work?
- What is DNS Amplification Attack?
- Selective Forwarding attack in wireless sensor networks
- What is a Replay Attack?
- What is Volumetric DDoS Attack?
- What is SS7 attack? What can hackers use it for?
- Analysis of an attack (Part 3)
- Turn on / off concurrent connections to both Non-domain network and Domain on Windows 10
- Learn about .io domain names
- Instructions for joining the domain on Windows 8.1 (Part 1)
- What is BlueSmack attack?