A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain. […]
Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor’s control using the MS-EFSRPC interface and share its authentication information. This is done by connecting to LSARPC, resulting in a scenario where the target server connects to an arbitrary server and performs NTLM authentication.
The Hacker News
- New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains (The Hacker News)
- PetitPotam – NTLM Relay to AD CS (Pentestlab)
- Lateral Movement – WebClient (Pentestlab – example on using PetitPotam)
Check if vulnerable
crackmapexec smb $DC_IP -u $USER -p $PASS -d example.com -M petitpotamDownload exploit
- PetitPotam (GitHub), original implementation
- PetitPotam (GitHub), Python implementation for PetitPotam by ly4k