“PetitPotam” Windows LSA Spoofing Vulnerability (CVE-2021-36942)

Microsoft AD Domain Services Privilege Escalation (CVE-2021-42287 and CVE-2021-42278)

The CISA Known Exploited Vulnerabilities (KEV) Catalog lists cybersecurity vulnerabilities known to be actively exploited and helps prioritize vulnerability management. CISA includes a due date to remediate the vulnerability, typically two to three weeks from its submission. Actively monitoring the KEV catalog and understanding how these vulnerabilities can be exploited helps security teams recognize each vulnerability’s risk and threat to their network environments. Subscribe to CISA’s KEV Catalog Update Bulletin to stay up to date on new KEV Catalog vulnerabilities.

Date Added to KEV Catalog: November 03, 2021

CISA Due Date for Remediation: November 17, 2021

Vulnerability

“PetitPotam” is an NTLM relay attack, and a vulnerability commonly checked for in Active Directory penetration testing. In August 2021 it was reported that the ransomware group LockFile used PetitPotam with ProxyShell to compromise Windows Domain Controllers.  This vulnerability targets Windows Local Security Authority (LSA). An unauthenticated attacker can call the LSARPC and coerce the DC to use NTLM by using methods like Encrypting File System Remote (EFSRPC). Domain Controllers that host AD Certificate Services are commonly targeted for NTLM relay.  
Will Dorman explains: “By relaying an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or the Certificate Enrollment Web Service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller. This attack, known as a “Golden Ticket” attack, can be used to fully compromise the entire Active Directory infrastructure.”

CVE-2021-36942 vs CVE-2022-26925 
Currently, the most recent PetitPotam vulnerability is CVE-2022-26925 which allows an unauthenticated attacker to target DC with LSARPC.

Since there are both unauthenticated and authenticated vulnerabilities, penetration testers typically check for both. During an Active Directory penetration test, the unauthenticated vulnerability is checked for during initial enumeration and the authenticated vulnerability can be checked again after the tester gets valid domain credentials. 

Systems Affected and Detection

These operating systems are vulnerable: 

  • Windows Server 2008 R2 
  • Windows Server 2012 R2 
  • Windows Server 2016 
  • Windows Server 2019 
  • Windows Server 2004 
  • Windows Server 20H2

PetitPotam primarily (but not exclusively) affects Active Directory Certificate Services (AD CS) with 
Certificate Authority Web Enrollment and Certificate Enrollment Web Service.

There are various detection options including Metasploit, CrackMapExec, and Nessus. 

Before running the Metasploit PetitPotam scanner, an SMB server should be run in the background on Metasploit: auxiliary/server/capture/smb. 
Then the scanner (auxiliary/scanner/dcerpc/petitpotam) options can be set and run: 
RHOSTS- to match target 
VERBOSE- true 
LISTENER- to match the listening SMB Server  
PIPE- the default is lsarpc. Other named pipes include: efsrpc, samr, lsass, netlogon

CrackMapExec includes a SMB module: 

crackmapexec smb <ip> -u ” -p ” -M petitpotam 

Tenable also detects for PetitPotam.  

 

Exploitation

The most popular exploit tool is by topotam on GitHub, which has Windows executable (.exe) and python options. Similarly, Swisskyrepo on GitHub provides a good breakdown of how to exploit PetitPotam, simplified here: 

  1. Setup Responder: responder -I eth0 –lm 
  2. Run PetitPotam (with DC-IP, Responder-IP, and with or without credentials)
  3. Crack the NTLM hash
  4. DC Sync Using the Pass-the-Hash

Remediation

Microsoft’s KB5005413 “Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)” outlines various mitigation options. They include: 

  • Enable Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment and Certificate Enrollment Web Service 
  • After enabling EPA, update the Web.config file created by CES  
  • Require SSL 
  • Enable SMB Signing 
  • Disable NTLM authentication. Examples include disabling NTLM for the Windows DC, AD CS Servers, and IIS running the Certificate Authority Web Enrollment and Certificate Enrollment Web Service. 

References: