Podcast
Root Causes 180: PetitPotam MSCA Attack
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
August 26, 2021
The PetitPotam attack against Microsoft CA has garnered a lot of attention. Our hosts describe this attack and define related terms like Mimikatz, pass-the-hash, and NTLM Relay. The episode goes on to give a roadmap for mitigating this attack , including free resources available to help defend against it.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo, this is a Jay chooses the topic day today and I am going to give you one word, or I guess one phrase and I’m gonna slaughter it because it’s French and then you can take it from there. So, Jay, if I say to you PetitPotam what does that mean?
Jason SorokoThat is, if I’m not mistaken, a French television show for children about a hippopotamus that gets into a lot of shenanigans.Tim CallanOk. I’m intrigued to find out how this connects back to PKI. So, let’s go.Jason SorokoFantastic. I guess people are running out of names of nefarious Greek Gods and whatever to name malware and different kinds of attacks. This one is interesting because it’s specifically an attack against Microsoft CA.Tim CallanYes. We all saw the headlines about this.Jason SorokoRight. And so, they are labeling the attack PetitPotam and giving something that was known for so long a whole new name, I gotta question. But, whatever. It doesn’t matter. It is important and for those of you who are network administrators or you managed Microsoft CA, please listen to this podcast very carefully because I have some information for you and if it’s net-new, you’ve got some homework.Tim CallanOk.Jason SorokoSo, let’s describe the attack. So, for those of you who have been security a long, long, long time, you’ve probably heard about NTLM relay attacks.Tim CallanAnd what is an NTLM relay attack?Jason SorokoWe could get into the whole history of Microsoft stack authentication. I think rather than spending half an hour giving you a history lesson, let me tell you what’s important to know. How long has Windows been around? A long time, right?Tim CallanSince the ‘80s. Sure.Jason SorokoSince forever for many people. And, here’s what’s amazing about Windows. The authentication mechanisms are backwards compatible to like nearly the beginning.Tim CallanSure. Sure. That’s a very Windows thing to do. Yes.Jason SorokoRight. And you can imagine because once you implement this thing, right, that’s one of the first things that could break and it would be a real pain if you couldn’t access your systems.Tim CallanRight.Jason SorokoSo, basically, the problem is NTLM relay, like I think past the hash attacks were first done, you know, Mark Russinovich, some of these guys, even before they were at Microsoft were showing this. Right now, it’s Benjamin Delpy and his Mimikatz implementation, which is a white hat research. It’s just incredible that we still have these issues around logging in to a system with not necessarily the credential itself, let’s say the user name and password, but a hash representation of it. And of course, that hashed representation lives on a Windows device after the point in time at which the user has used it for a period of time. Problem is, that part of storage is incredibly important to actually protect and Microsoft has had a really hard time protecting that over the last 20 years. So, let me give you one of the nightmare scenarios. One of the nightmare scenarios is you call up, Tim, your network administrator, somebody who has a domain controller level user name and password and they log in. They remotely log into your laptop.
Tim CallanYes.Jason SorokoWell, their hash will have been deposited on your laptop for a period of time. So, then you go out, you are happy now the administrator did their thing. You don’t really care that that administrator’s hash is there. You don’t feel it.Tim CallanYeah. You don’t know it. You are not even aware probably. Yeah.Jason SorokoAnd isn’t it great because that sensitive user name and password never had to cross the network. Fantastic. The only thing that actually got transmitted was that hash and it got transmitted in a very, very secure way and now it’s stored in a secure place in your laptop.Tim CallanRight.Jason SorokoThe problem is, there’s all kinds of malware out there that can go and retrieve that.Tim CallanOh. Ok.Jason SorokoNow what happens if that hash is retrieved by let’s say, Mimikatz. In fact, I’ve personally demonstrated this with various tools that exist with Kali Linux distribution for security pen testers, right. Once you have that hash, you can then use tools, tools that were officially mandated Microsoft tools that Mark Russinovich wrote many years ago. You are able to use that hash to log in to systems that are privileged with that credential.Tim CallanAh-ha. Gotcha.Jason SorokoSo, let’s get down to NT - - that’s pass the hash. That’s the pass the hashtag. You need to understand that before you can understand NTLM relay. Basically, it’s a man-in-the-middle attack where you’ve convinced a legitimate user to log in to your server and you’re essentially then playing the real server and the real client against each other. So, when the log in attempt occurs – thank you very much. You can then as the NTLM relay administrator basically send the same exact kind of, it’s basically a signed request right to the server. The server then sends what’s necessary for the challenge and then you can then pass that back to the user for finally saying, yes, you are now logged into me. Right?Tim CallanRight.Jason SorokoOnce the challenge has been basically passed with basically the user typing in the user name and password. What then is your possession as part of the NTLM relay attack is in fact a credential. Right? That hash which is then privileged sufficiently to log into that server.Tim CallanOk.Jason SorokoSo, the thing is, with that hash, you are then, in near real-time if you wish, able to take that generated hash and log into another server. That server may be a domain controller, for example. If it’s an administrative user. Well, that’s bad news.Tim CallanYeah.Jason SorokoSo, the thing is, this attack has been around an awfully long time and there have been mitigations made. So, this is where the homework part of this podcast comes in.Tim CallanOk. I was going to ask and maybe this isn’t important, but what is new here?Jason Soroko(laugh) That’s my question, Tim. I don’t know why this deserved a whole - - you know what it is? I think it’s because it’s so dangerous against specifically Microsoft CA because of the fact that a Microsoft CA server, you know, when it has a dedicated server, which it usually quite often does, this exact kind of attack can be used to go against it. It was always, always a threat. It has been mitigated to some point but there’s work and configuration work that has to be done to fully mitigate it.Tim CallanOk. So, yeah. Sorry for the aside, I think it was worth asking.Jason SorokoOh, it was totally worth asking.Tim CallanSo, what is our homework? What should we be doing?Jason SorokoRight now, if this is all old news. Great. In fact, that’s great news. However, if this is news to you and your organization runs Microsoft CA, you need to go search for KB5005413.Tim CallanKB5005413. Let’s repeat that one more time in case people are scrambling for a pen. KB500 - - finish it…Jason Soroko5413.Tim CallanOk. KB5005413. Alright.Jason SorokoAnd you can also - - this is a support knowledge base, obviously, from Microsoft and it’s entitled “mitigating NTLM relay attacks on ADCS.” Perfect title.Tim CallanYes. Very clear.Jason SorokoYeah and, in fact, here’s the thing. Microsoft has issued patches for PetitPotam, but even Microsoft themselves will admit it’s insufficient in itself to fully mitigate it. So, therefore, you need to do specific configurations to fully lock down this problem.Tim CallanOk. Which are well-documented, I’m sure?Jason SorokoVery, very well-documented, but let me tell you, Tim, a couple of things you can do just at a high level without getting into the weeds.Tim CallanOk.Jason SorokoPart of the mitigation for this is EPA. Two things you can do are to enable EPA or extended protection for authentication on your MS CA server. EPA is obviously one of those very strong mitigations that Microsoft put in due to the long legacy of NTLM. In fact, it’s been around a very long time – this mitigation. And it’s interesting, Tim, because basically what it’s doing is it’s forcing a side channel of communication. Basically, in other words, this EPA is causing the attacker to not be able to take something generated from one server and then use it against another, such as a Microsoft CA server. So, in other words, because it’s an NTLM attack that basically fools the user to log into one specific server, and then use that credential to log into another, EPA essentially is a mitigation against that.Tim CallanGotcha. Sure.Jason SorokoAnd then the other one is, of course, enable requiring SSL, which enables HTTPS connections between a client and the server. The problem with that, of course, is there is some amount of latency that is caused by that.Tim CallanYeah, but that’s got to be trivially small.Jason SorokoAnd you know what? With the types of servers we have now, right, it’s always gotta be mentioned because technical people always bring it up.Tim CallanFair enough.Jason SorokoBut if you think about it, what can you do with an SSL connection is if you’ve established a connection with one server, and then try to use that side channel against another server, the other destination server is gonna go, “hey, I’m not who you are talking to.”Tim CallanRight. Right.Jason SorokoSo, therefore, this is what that knowledge base article goes into great detail about how to configure and I mean there’s a lot of people out there running MS CA. Please check out that KB. It’s very detailed. It’s actually not that difficult that follow and it’s gotta be done. You have to lock down your MS CA server if it hasn’t been already.Tim CallanAlright. Cool. Ok. Great. That sounds like good advice to check out if you haven’t already done that and if you, of course, are an MS CA shop.Jason SorokoYep. That’s it. Short and sweet.Tim CallanAlright. Short and sweet. Thank you very much, Jay.Jason SorokoThanks, Tim.Tim CallanThis has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
