PetitPotam
The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC)
This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS)
A new digital certificate is made.This certificate can then be used with a tool such as Rubeus or gettgtpkinit.py from PKINITtools to request a TGT for the Domain Controller, which can then be used to achieve domain compromise via a DCSync attack.
For more on NTLM relaying to AD CS and the PetitPotam attack.
There is also a powershell version Invoke-PetitPotam.ps1
Start nltmrelayx.py
Run PetitPotam
Request a TGT
DCSync
Set the KRB5CCNAME and do:
OR getnthash.py
Use the AS-ReP encryption key from when we requested TGT
Then secretsdump:
Rubeus
Alternatively, once we obtain the base64 certificate via ntlmrelayx.py, we could use the certificate with the Rubeus tool on a Windows attack host to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once.
Mimikatz
Then Golden Ticket
Last updated
