In a revision of KnowledgeBase article KB5005413, Microsoft has provided more elaborate mitigation instructions for the PetitPotam attacks that were disclosed a week ago.
PetitPotam is the name for an attack method using a bug that was found by a security researcher who also published a proof-of-concept (PoC) exploit code. The attack could force remote Windows systems to reveal password hashes that could then be easily cracked. Microsoft quickly sent out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack.
PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers. It does this by performing an NTLM relay attack that does not rely on the Microsoft’s Print System Remote Protocol (MS-RPRN) API but instead uses the EfsRpcOpenFileRaw function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely and accessible over a network. The PetitPotam PoC takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.
Pass the hash
As we saw when discussing the HiveNightmare zero-day, hashed passwords are useful to attackers. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that “mathematical operation” required to gain access. The authentication process does not require the plaintext password. The hash is enough.
So, pass the hash is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.
Hard to patch
Since the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without “breaking stuff.” Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited.
The Microsoft advisory lists these Microsoft Server Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It also states that companies are vulnerable to a PetitPotam attack if NTLM authentication is enabled in their domains and/or if they are using Active Directory Certificate Services (AD CS) with the services “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service.”
New mitigation details
Microsoft has divided the mitigation techniques into a Primary part and an Additional part.
On AD CS servers open the Internet Information Services (IIS) Manager and do the following:
- Enable Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment, “Required” being the more secure and recommended option.
- Enable EPA for Certificate Enrollment Web Service, “Required” being the more secure and recommended option. After enabling EPA in the UI, the Web.config file created by CES role at <%windir%>systemdataCES
_CES_Kerberosweb.configshould also be updated by adding set with a value of either WhenSupported or Always depending on the Extended Protection option selected in the IIS UI.
- Enable Require SSL, which will enable only HTTPS connections.
Disable the deprecated NTLM authentication where possible.
- Disable NTLM Authentication on your Windows domain controller.
- Disable NTLM on any AD CS Servers in your domain using the group policy (GPO). To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
Important note: After completing the above steps, you will need to restart IIS to load the changes. To restart IIS, open an elevated Command Prompt window, type the following command, and then press ENTER:
This command stops all IIS services that are running and then restarts them.
For full instructions including screenshots please look at the revised KB5005413.