Mitigating PetitPotam NTLM Vulnerability

By Keren Pollack, on July 30th, 2021

NTLM is a veteran authentication protocol. It is known to be insecure, therefore there are better options to replace it in the market. Yet, getting rid of it can be tough and sometimes impossible.

 

PetitPotam is a recently discovered vulnerability that uses NTLM’s remote authentication protocol- EFSRPC. This vulnerability eventually allows attackers to perform an NTLM relay attack and completely take over a Windows domain. This vulnerability emphasizes once again the urgent need to stop using veteran vulnerable services. Since it is a complex task, the need for hardening automation tools has never been greater.

NTLM Vulnerabilities Review

 

Encrypting File System Remote (EFSRPC) Protocol:

The EFSRPC is used by NTLM when remote authentication is required. This protocol is also used for the management and maintenance of encrypted data stored in a remote server, such as Domain Controllers and Certificate Authority servers. Accessing these kinds of servers and gaining access to this data will allow an attacker to easily gain control over a domain.

 

PetitPotam Attack Mechanism:

An attacker requests to connect with a Domain Controller via the EFSPRC and forces it to use NTLM (instead of Kerberos or more secure authentication mechanisms).

NTLM v1 and v2 vs Kerberos

Once the authentication is done using NTLM, the attacker performs a classic NTLM relay to grab the hashed password.

The attack usually targets IIS servers installed on the Domain Controller and are used for certificate service web enrollment. Once the attacker has domain credentials, he breaches the web enrollment, gets the certificate, and gains control over the domain.

 

Mitigating PetitPotam:

Your first choice (if possible) should be to stop using NTLM. You should be aware that disabling NTLM can have devastating consequences on your production, and should be done carefully. Preparation must be done by first mapping where NTLM is being used and what will be the impact of disabling it. Since this only is a huge task, many organizations decide to neglect it and remain vulnerable. We suggest using a hardening automation tool to automatically locate enabled NTLM and generate an impact analysis report.

 

If you can’t disable NTLM completely, you have two other options:

  1. Enable Windows Security: Restrict NTLM incoming traffic – this setting allows you to control where NTLM is being used and to enable it only if required. This will also require you to either manually map NTLM and perform an impact analysis, or use a hardening automation tool to save time and resources.
  2. Disable NTLM in the IIS servers installed on the certificate service server – this method will not protect you from NTLM relay attacks but will mitigate PetitPotam since the attacker won’t be able to reach the certificate.

 

This type of attack emphasizes the need to stop using old and vulnerable services such as NTLM. Since it is a complex task for organizations with a large infrastructure, it also emphasizes the need for hardening automation tools.