French researcher Gilles Lionel, who goes by @topotam77, recently published proof-of-concept code that attackers could use to take over a Windows network.
The hack, which he has dubbed PetitPotam (a nod to the endangered Pygmy Hippopotamus, as far as we can tell), involves what’s known as an NTLM relay attack, which is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system.
Microsoft has been advising everyone to avoid NTLM, short for NT LAN Manager, for more than a decade, because it doesn’t meet modern cryptographic security standards.
Way back in 2012, for example, password researcher Jeremi Gosney, who describes himself as “your friendly neighborhood password cracker”, described and built a standalone password cracking computer, using 25 graphics cards, that could brute-force any eight-character Windows password from its NTLM hash in just six hours.
Unfortunately, NTLM authentication has proved hard to shake off altogether, with many network administrators keeping it alive because of legacy applications that can’t use the network without it.
Microsoft has added several NTLM mitigations over the years to try to close off various NTLM relay attack loopholes that remain.
This has steadily made it harder for attackers to trick Windows clients into talking to imposter authentication servers (the so-called “relays” in the attack) that could allow password hashes to be sniffed out, stolen and abused by attackers.
Ironically, one popular NTLM relay trick used in the past was to abuse the Microsoft Print System Remote Protocol (MS-RPRN) – what you could call a PrintNightmare of yesteryear.
As Lionel himself points out, however, “[using] MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins [in] most [organisations].”
His new proof-of-concept uses a similar attack (indeed, Lionel credits his code as “inspired by the previous work on MS-RPRN”), but abuses a different remote access protocol called MS-EFSRPC, short for Encrypting File System Remote Protocol.
Annoyingly, according to Lionel, turning off the underlying Encrypting Filing System service doesn’t seem to help, so the obvious mitigation that worked for old-school MS-RPRN attacks (namely, turning off the service that supported the at-risk protocol) won’t work here.
According to Microsoft, the PetitPotam code relies on abusing system functions that are enabled if all of these conditions apply:
- NTLM authentication is enabled in your domain.
- You are using Active Directory Certificate Services (AD CS).
- You have either Certificate Authority Web Enrollment or Certificate Enrollment Web Service enabled.
What to do?
Microsoft’s primary mitigation, which is probably the least intimidating system change to make, is to turn on an IIS feature known as Extended Protection for Authentication (EPA).
EPA protects the abovementioned Certificate Authority Web Enrollment and Certificate Enrollment Web Service features from relay attacks.
However, the most robust defence is to stop using NTLM anywhere in your network.
If you genuinely don’t need it (and it’s been deprecated for more than a decade) you can turn it off entirely on your domain controller to improve security for your whole network.
There’s also a middle ground of mitigation, if you do use NTLM but you don’t need it for Active Directory Certificate Services (AD CS), which involves turning NTLM authentication off specifically for the system components related to AD CS.
Microsoft’s official mitigation advice, which applies to Windows Server 2008, 2008 R2, 2016, 2019 and 2022, is listed in its Knowledgebase article 5005413:
Note. Sophos Central customers can use the Sophos Live Discover tool to search for indicators of risk and possible attack. Our EDR/XDR team has published sample queries to look for PetitPotam conditions, as well as for PetitPotam events.
6 comments on “Windows “PetitPotam” network attack – how to protect against it”
Paul, the first two links under the “What to do?” header have extra characters in the first part of the URL. Will you fix them, please?
Should be fixed now, thanks!
In the ‘What To Do’ section the link ‘stop using NTLM’ has an error. The correct link is https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain as far as I can work out.
Yes, I managed to include the text “http COLON SLASH SLASH can SPACE” at the start of the URL, which made it dud. Don’t know how that happened :-)
Both of them work now, sorry about that.
Does anyone know if disabling NTLM via the GPO method linked above disables NTLMv2 or just NTLM?
The article doesn’t explicitly say “this disables NTLM and NTLM v2” but it does say that it disables “all NTLM authentication”.
It also notes that “NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks […] eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.”
So I would be surprised if turning off “all NTLM” did not do exactly that, where “all” covets both v1 and v2.