Redirecting you to
Podcast Aug 26, 2021

Root Causes 180: PetitPotam MSCA Attack

The PetitPotam attack against Microsoft CA has garnered a lot of attention. Our hosts describe this attack and define related terms like Mimikatz, pass-the-hash, and NTLM Relay. The episode goes on to give a roadmap for mitigating this attack , including free resources available to help defend against it.

  • Original Broadcast Date: August 26, 2021

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, this is a Jay chooses the topic day today and I am going to give you one word, or I guess one phrase and I’m gonna slaughter it because it’s French and then you can take it from there. So, Jay, if I say to you PetitPotam what does that mean?

  • Jason Soroko

    That is, if I’m not mistaken, a French television show for children about a hippopotamus that gets into a lot of shenanigans.

  • Tim Callan

    Ok. I’m intrigued to find out how this connects back to PKI. So, let’s go.

  • Jason Soroko

    Fantastic. I guess people are running out of names of nefarious Greek Gods and whatever to name malware and different kinds of attacks. This one is interesting because it’s specifically an attack against Microsoft CA.

  • Tim Callan

    Yes. We all saw the headlines about this.

  • Jason Soroko

    Right. And so, they are labeling the attack PetitPotam and giving something that was known for so long a whole new name, I gotta question. But, whatever. It doesn’t matter. It is important and for those of you who are network administrators or you managed Microsoft CA, please listen to this podcast very carefully because I have some information for you and if it’s net-new, you’ve got some homework.

  • Tim Callan

    Ok.

  • Jason Soroko

    So, let’s describe the attack. So, for those of you who have been security a long, long, long time, you’ve probably heard about NTLM relay attacks.

  • Tim Callan

    And what is an NTLM relay attack?

  • Jason Soroko

    We could get into the whole history of Microsoft stack authentication. I think rather than spending half an hour giving you a history lesson, let me tell you what’s important to know. How long has Windows been around? A long time, right?

  • Tim Callan

    Since the ‘80s. Sure.

  • Jason Soroko

    Since forever for many people. And, here’s what’s amazing about Windows. The authentication mechanisms are backwards compatible to like nearly the beginning.

  • Tim Callan

    Sure. Sure. That’s a very Windows thing to do. Yes.

  • Jason Soroko

    Right. And you can imagine because once you implement this thing, right, that’s one of the first things that could break and it would be a real pain if you couldn’t access your systems.

  • Tim Callan

    Right.

  • Jason Soroko

    So, basically, the problem is NTLM relay, like I think past the hash attacks were first done, you know, Mark Russinovich, some of these guys, even before they were at Microsoft were showing this. Right now, it’s Benjamin Delpy and his Mimikatz implementation, which is a white hat research. It’s just incredible that we still have these issues around logging in to a system with not necessarily the credential itself, let’s say the user name and password, but a hash representation of it. And of course, that hashed representation lives on a Windows device after the point in time at which the user has used it for a period of time. Problem is, that part of storage is incredibly important to actually protect and Microsoft has had a really hard time protecting that over the last 20 years.

    So, let me give you one of the nightmare scenarios. One of the nightmare scenarios is you call up, Tim, your network administrator, somebody who has a domain controller level user name and password and they log in. They remotely log into your laptop.

  • Tim Callan

    Yes.

  • Jason Soroko

    Well, their hash will have been deposited on your laptop for a period of time. So, then you go out, you are happy now the administrator did their thing. You don’t really care that that administrator’s hash is there. You don’t feel it.

  • Tim Callan

    Yeah. You don’t know it. You are not even aware probably. Yeah.

  • Jason Soroko

    And isn’t it great because that sensitive user name and password never had to cross the network. Fantastic. The only thing that actually got transmitted was that hash and it got transmitted in a very, very secure way and now it’s stored in a secure place in your laptop.

  • Tim Callan

    Right.

  • Jason Soroko

    The problem is, there’s all kinds of malware out there that can go and retrieve that.

  • Tim Callan

    Oh. Ok.

  • Jason Soroko

    Now what happens if that hash is retrieved by let’s say, Mimikatz. In fact, I’ve personally demonstrated this with various tools that exist with Kali Linux distribution for security pen testers, right. Once you have that hash, you can then use tools, tools that were officially mandated Microsoft tools that Mark Russinovich wrote many years ago. You are able to use that hash to log in to systems that are privileged with that credential.

  • Tim Callan

    Ah-ha. Gotcha.

  • Jason Soroko

    So, let’s get down to NT - - that’s pass the hash. That’s the pass the hashtag. You need to understand that before you can understand NTLM relay. Basically, it’s a man-in-the-middle attack where you’ve convinced a legitimate user to log in to your server and you’re essentially then playing the real server and the real client against each other. So, when the log in attempt occurs – thank you very much. You can then as the NTLM relay administrator basically send the same exact kind of, it’s basically a signed request right to the server. The server then sends what’s necessary for the challenge and then you can then pass that back to the user for finally saying, yes, you are now logged into me. Right?

  • Tim Callan

    Right.

  • Jason Soroko

    Once the challenge has been basically passed with basically the user typing in the user name and password. What then is your possession as part of the NTLM relay attack is in fact a credential. Right? That hash which is then privileged sufficiently to log into that server.

  • Tim Callan

    Ok.

  • Jason Soroko

    So, the thing is, with that hash, you are then, in near real-time if you wish, able to take that generated hash and log into another server. That server may be a domain controller, for example. If it’s an administrative user. Well, that’s bad news.

  • Tim Callan

    Yeah.

  • Jason Soroko

    So, the thing is, this attack has been around an awfully long time and there have been mitigations made. So, this is where the homework part of this podcast comes in.

  • Tim Callan

    Ok. I was going to ask and maybe this isn’t important, but what is new here?

  • Jason Soroko

    (laugh) That’s my question, Tim. I don’t know why this deserved a whole - - you know what it is? I think it’s because it’s so dangerous against specifically Microsoft CA because of the fact that a Microsoft CA server, you know, when it has a dedicated server, which it usually quite often does, this exact kind of attack can be used to go against it. It was always, always a threat. It has been mitigated to some point but there’s work and configuration work that has to be done to fully mitigate it.

  • Tim Callan

    Ok. So, yeah. Sorry for the aside, I think it was worth asking.

  • Jason Soroko

    Oh, it was totally worth asking.

  • Tim Callan

    So, what is our homework? What should we be doing?

  • Jason Soroko

    Right now, if this is all old news. Great. In fact, that’s great news. However, if this is news to you and your organization runs Microsoft CA, you need to go search for KB5005413.

  • Tim Callan

    KB5005413. Let’s repeat that one more time in case people are scrambling for a pen. KB500 - - finish it…

  • Jason Soroko

    5413.

  • Tim Callan

    Ok. KB5005413. Alright.

  • Jason Soroko

    And you can also - - this is a support knowledge base, obviously, from Microsoft and it’s entitled “mitigating NTLM relay attacks on ADCS.” Perfect title.

  • Tim Callan

    Yes. Very clear.

  • Jason Soroko

    Yeah and, in fact, here’s the thing. Microsoft has issued patches for PetitPotam, but even Microsoft themselves will admit it’s insufficient in itself to fully mitigate it. So, therefore, you need to do specific configurations to fully lock down this problem.

  • Tim Callan

    Ok. Which are well-documented, I’m sure?

  • Jason Soroko

    Very, very well-documented, but let me tell you, Tim, a couple of things you can do just at a high level without getting into the weeds.

  • Tim Callan

    Ok.

  • Jason Soroko

    Part of the mitigation for this is EPA. Two things you can do are to enable EPA or extended protection for authentication on your MS CA server. EPA is obviously one of those very strong mitigations that Microsoft put in due to the long legacy of NTLM. In fact, it’s been around a very long time – this mitigation. And it’s interesting, Tim, because basically what it’s doing is it’s forcing a side channel of communication. Basically, in other words, this EPA is causing the attacker to not be able to take something generated from one server and then use it against another, such as a Microsoft CA server. So, in other words, because it’s an NTLM attack that basically fools the user to log into one specific server, and then use that credential to log into another, EPA essentially is a mitigation against that.

  • Tim Callan

    Gotcha. Sure.

  • Jason Soroko

    And then the other one is, of course, enable requiring SSL, which enables HTTPS connections between a client and the server. The problem with that, of course, is there is some amount of latency that is caused by that.

  • Tim Callan

    Yeah, but that’s got to be trivially small.

  • Jason Soroko

    And you know what? With the types of servers we have now, right, it’s always gotta be mentioned because technical people always bring it up.

  • Tim Callan

    Fair enough.

  • Jason Soroko

    But if you think about it, what can you do with an SSL connection is if you’ve established a connection with one server, and then try to use that side channel against another server, the other destination server is gonna go, “hey, I’m not who you are talking to.”

  • Tim Callan

    Right. Right.

  • Jason Soroko

    So, therefore, this is what that knowledge base article goes into great detail about how to configure and I mean there’s a lot of people out there running MS CA. Please check out that KB. It’s very detailed. It’s actually not that difficult that follow and it’s gotta be done. You have to lock down your MS CA server if it hasn’t been already.

  • Tim Callan

    Alright. Cool. Ok. Great. That sounds like good advice to check out if you haven’t already done that and if you, of course, are an MS CA shop.

  • Jason Soroko

    Yep. That’s it. Short and sweet.

  • Tim Callan

    Alright. Short and sweet. Thank you very much, Jay.

  • Jason Soroko

    Thanks, Tim.

  • Tim Callan

    This has been Root Causes.