SearchSupportDocsFree trial
Contact us
Podcast

Root Causes 180: PetitPotam MSCA Attack

Hosted by
Tim Callan
Chief Compliance Officer
Original broadcast date
August 26, 2021

The PetitPotam attack against Microsoft CA has garnered a lot of attention. Our hosts describe this attack and define related terms like Mimikatz, pass-the-hash, and NTLM Relay. The episode goes on to give a roadmap for mitigating this attack , including free resources available to help defend against it.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanSo, this is a Jay chooses the topic day today and I am going to give you one word, or I guess one phrase and I’m gonna slaughter it because it’s French and then you can take it from there. So, Jay, if I say to you PetitPotam what does that mean?
Jason SorokoJason SorokoThat is, if I’m not mistaken, a French television show for children about a hippopotamus that gets into a lot of shenanigans.
Tim CallanTim CallanOk. I’m intrigued to find out how this connects back to PKI. So, let’s go.
Jason SorokoJason SorokoFantastic. I guess people are running out of names of nefarious Greek Gods and whatever to name malware and different kinds of attacks. This one is interesting because it’s specifically an attack against Microsoft CA.
Tim CallanTim CallanYes. We all saw the headlines about this.
Jason SorokoJason SorokoRight. And so, they are labeling the attack PetitPotam and giving something that was known for so long a whole new name, I gotta question. But, whatever. It doesn’t matter. It is important and for those of you who are network administrators or you managed Microsoft CA, please listen to this podcast very carefully because I have some information for you and if it’s net-new, you’ve got some homework.
Tim CallanTim CallanOk.
Jason SorokoJason SorokoSo, let’s describe the attack. So, for those of you who have been security a long, long, long time, you’ve probably heard about NTLM relay attacks.
Tim CallanTim CallanAnd what is an NTLM relay attack?
Jason SorokoJason SorokoWe could get into the whole history of Microsoft stack authentication. I think rather than spending half an hour giving you a history lesson, let me tell you what’s important to know. How long has Windows been around? A long time, right?
Tim CallanTim CallanSince the ‘80s. Sure.
Jason SorokoJason SorokoSince forever for many people. And, here’s what’s amazing about Windows. The authentication mechanisms are backwards compatible to like nearly the beginning.
Tim CallanTim CallanSure. Sure. That’s a very Windows thing to do. Yes.
Jason SorokoJason SorokoRight. And you can imagine because once you implement this thing, right, that’s one of the first things that could break and it would be a real pain if you couldn’t access your systems.
Tim CallanTim CallanRight.
Jason SorokoJason SorokoSo, basically, the problem is NTLM relay, like I think past the hash attacks were first done, you know, Mark Russinovich, some of these guys, even before they were at Microsoft were showing this. Right now, it’s Benjamin Delpy and his Mimikatz implementation, which is a white hat research. It’s just incredible that we still have these issues around logging in to a system with not necessarily the credential itself, let’s say the user name and password, but a hash representation of it. And of course, that hashed representation lives on a Windows device after the point in time at which the user has used it for a period of time. Problem is, that part of storage is incredibly important to actually protect and Microsoft has had a really hard time protecting that over the last 20 years.

So, let me give you one of the nightmare scenarios. One of the nightmare scenarios is you call up, Tim, your network administrator, somebody who has a domain controller level user name and password and they log in. They remotely log into your laptop.
Tim CallanTim CallanYes.
Jason SorokoJason SorokoWell, their hash will have been deposited on your laptop for a period of time. So, then you go out, you are happy now the administrator did their thing. You don’t really care that that administrator’s hash is there. You don’t feel it.
Tim CallanTim CallanYeah. You don’t know it. You are not even aware probably. Yeah.
Jason SorokoJason SorokoAnd isn’t it great because that sensitive user name and password never had to cross the network. Fantastic. The only thing that actually got transmitted was that hash and it got transmitted in a very, very secure way and now it’s stored in a secure place in your laptop.
Tim CallanTim CallanRight.
Jason SorokoJason SorokoThe problem is, there’s all kinds of malware out there that can go and retrieve that.
Tim CallanTim CallanOh. Ok.
Jason SorokoJason SorokoNow what happens if that hash is retrieved by let’s say, Mimikatz. In fact, I’ve personally demonstrated this with various tools that exist with Kali Linux distribution for security pen testers, right. Once you have that hash, you can then use tools, tools that were officially mandated Microsoft tools that Mark Russinovich wrote many years ago. You are able to use that hash to log in to systems that are privileged with that credential.
Tim CallanTim CallanAh-ha. Gotcha.
Jason SorokoJason SorokoSo, let’s get down to NT - - that’s pass the hash. That’s the pass the hashtag. You need to understand that before you can understand NTLM relay. Basically, it’s a man-in-the-middle attack where you’ve convinced a legitimate user to log in to your server and you’re essentially then playing the real server and the real client against each other. So, when the log in attempt occurs – thank you very much. You can then as the NTLM relay administrator basically send the same exact kind of, it’s basically a signed request right to the server. The server then sends what’s necessary for the challenge and then you can then pass that back to the user for finally saying, yes, you are now logged into me. Right?
Tim CallanTim CallanRight.
Jason SorokoJason SorokoOnce the challenge has been basically passed with basically the user typing in the user name and password. What then is your possession as part of the NTLM relay attack is in fact a credential. Right? That hash which is then privileged sufficiently to log into that server.
Tim CallanTim CallanOk.
Jason SorokoJason SorokoSo, the thing is, with that hash, you are then, in near real-time if you wish, able to take that generated hash and log into another server. That server may be a domain controller, for example. If it’s an administrative user. Well, that’s bad news.
Tim CallanTim CallanYeah.
Jason SorokoJason SorokoSo, the thing is, this attack has been around an awfully long time and there have been mitigations made. So, this is where the homework part of this podcast comes in.
Tim CallanTim CallanOk. I was going to ask and maybe this isn’t important, but what is new here?
Jason SorokoJason Soroko(laugh) That’s my question, Tim. I don’t know why this deserved a whole - - you know what it is? I think it’s because it’s so dangerous against specifically Microsoft CA because of the fact that a Microsoft CA server, you know, when it has a dedicated server, which it usually quite often does, this exact kind of attack can be used to go against it. It was always, always a threat. It has been mitigated to some point but there’s work and configuration work that has to be done to fully mitigate it.
Tim CallanTim CallanOk. So, yeah. Sorry for the aside, I think it was worth asking.
Jason SorokoJason SorokoOh, it was totally worth asking.
Tim CallanTim CallanSo, what is our homework? What should we be doing?
Jason SorokoJason SorokoRight now, if this is all old news. Great. In fact, that’s great news. However, if this is news to you and your organization runs Microsoft CA, you need to go search for KB5005413.
Tim CallanTim CallanKB5005413. Let’s repeat that one more time in case people are scrambling for a pen. KB500 - - finish it…
Jason SorokoJason Soroko5413.
Tim CallanTim CallanOk. KB5005413. Alright.
Jason SorokoJason SorokoAnd you can also - - this is a support knowledge base, obviously, from Microsoft and it’s entitled “mitigating NTLM relay attacks on ADCS.” Perfect title.
Tim CallanTim CallanYes. Very clear.
Jason SorokoJason SorokoYeah and, in fact, here’s the thing. Microsoft has issued patches for PetitPotam, but even Microsoft themselves will admit it’s insufficient in itself to fully mitigate it. So, therefore, you need to do specific configurations to fully lock down this problem.
Tim CallanTim CallanOk. Which are well-documented, I’m sure?
Jason SorokoJason SorokoVery, very well-documented, but let me tell you, Tim, a couple of things you can do just at a high level without getting into the weeds.
Tim CallanTim CallanOk.
Jason SorokoJason SorokoPart of the mitigation for this is EPA. Two things you can do are to enable EPA or extended protection for authentication on your MS CA server. EPA is obviously one of those very strong mitigations that Microsoft put in due to the long legacy of NTLM. In fact, it’s been around a very long time – this mitigation. And it’s interesting, Tim, because basically what it’s doing is it’s forcing a side channel of communication. Basically, in other words, this EPA is causing the attacker to not be able to take something generated from one server and then use it against another, such as a Microsoft CA server. So, in other words, because it’s an NTLM attack that basically fools the user to log into one specific server, and then use that credential to log into another, EPA essentially is a mitigation against that.
Tim CallanTim CallanGotcha. Sure.
Jason SorokoJason SorokoAnd then the other one is, of course, enable requiring SSL, which enables HTTPS connections between a client and the server. The problem with that, of course, is there is some amount of latency that is caused by that.
Tim CallanTim CallanYeah, but that’s got to be trivially small.
Jason SorokoJason SorokoAnd you know what? With the types of servers we have now, right, it’s always gotta be mentioned because technical people always bring it up.
Tim CallanTim CallanFair enough.
Jason SorokoJason SorokoBut if you think about it, what can you do with an SSL connection is if you’ve established a connection with one server, and then try to use that side channel against another server, the other destination server is gonna go, “hey, I’m not who you are talking to.”
Tim CallanTim CallanRight. Right.
Jason SorokoJason SorokoSo, therefore, this is what that knowledge base article goes into great detail about how to configure and I mean there’s a lot of people out there running MS CA. Please check out that KB. It’s very detailed. It’s actually not that difficult that follow and it’s gotta be done. You have to lock down your MS CA server if it hasn’t been already.
Tim CallanTim CallanAlright. Cool. Ok. Great. That sounds like good advice to check out if you haven’t already done that and if you, of course, are an MS CA shop.
Jason SorokoJason SorokoYep. That’s it. Short and sweet.
Tim CallanTim CallanAlright. Short and sweet. Thank you very much, Jay.
Jason SorokoJason SorokoThanks, Tim.
Tim CallanTim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud