Security News > 2021 > July > New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains

A newly uncovered security flaw in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.

Specifically, the attack enables a domain controller to authenticate against a remote NTLM under a bad actor's control using the MS-EFSRPC interface and share its authentication information.

By forcing the targeted computer to initiate an authentication procedure and share its hashed passwords via NTLM, the PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services to seize control of the entire domain.

While disabling support for MS-EFSRPC doesn't stop the attack from functioning, Microsoft has since issued mitigations for the issue, while characterizing "PetitPotam" as a "Classic NTLM relay attack," which permit attackers with access to a network to intercept legitimate authentication traffic between a client and a server and relay those validated authentication requests in order to access network services.

"To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication or signing features such as SMB signing," Microsoft noted.

Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/WPJDrP3D6Hw/new-petitpotam-ntlm-relay-attack-lets.html