An new NTLM Relay Attack dubbed PetitPotam has just been found, which may enable an attacker to take over an entire Windows domain.
According to a report by the French security researcher GILLES Lionel (also known as Topotam), a new method named “PetitPotam” allows hackers to utilize the NTLM Relay Attack by exploiting the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
For those who don’t know, MS-EFSRPC is Microsoft’s Encrypting File System Remote Protocol that allows for maintenance and administration activities on encrypted data that is stored remotely and accessible via a network.
A proof-of-concept script for the PetitPotam method that uses the MS-EFSRPC API to launch an attack and manipulate the domain controller’s NTLM logon credential has been released by Lionel on GitHub in relation to the discovery.
According to the details that have been revealed, an attacker may exploit the RpcRemoteFindFirstPrinterChangeNotification function of the MS-RPRN printing API to force the system to perform the authentication to a remote server.
A blog article on Thehacker.recipes explains that, by using a particular RPC call, an attacker that manages a domain user/computer may activate the spooler service of a target, executing it, thereby authenticating it to a target of the attacker’s choice. The successful attack may give the attacker full control of the domain controller, which grants them access to the Windows domain. Microsoft’s Print Spooler is a service managing different printing tasks, such as the print jobs and other associated activities.
The researcher has also claimed that, aside from taking over the domain controller, this PetitPotam method might be used for additional attacks such as downgrading NTLMv1 and relaying machine accounts on computers where this machine account is a local administrator.
In relation to the disclosure of the attack, many companies have deactivated MS-RPRN as a means of blocking the attack vector. Microsoft has also taken measures to mitigate the attacks and has issued a warning on PetitPotam and NTML Relay Attacks. The company is encouraging all network operators to use the recommended official measures published in the advisory to protect against the issue.