Wednesday, September 22, 2021

Home windows “PetitPotam” community assault – easy methods to defend towards it – Bare Safety

French researcher Gilles Lionel, who goes by @topotam77, recently published proof-of-concept code that attackers could use to take over a Windows network.

The hack, which he has dubbed PetitPotam (which is a nod to the endangered Pygmy Hippopotamus, as far as we can tell), involves what’s known as an NTLM relay attack, which is a form of manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system.

Microsoft has been advising everyone to avoid NTLM, short for NT LAN Manager, for more than a decade, because it doesn’t meet modern cryptographic security standards.

Way back in 2012, for example, pasword researcher Jeremi Gosney, who describes himself as “your friendly neighborhood password cracker”, described and built a standalone password cracking computer, using 25 graphics cards, that could brute-force all eight-character Windows passwords from their NTLM hashes in just six hours.

Unfortunately, NTLM authentication has proved hard to shake off altogether, with many network administrators keeping it alive because of legacy applications that can’t use the network without it.

Microsoft has added several NTLM mitigations over the years to try to close off various NTLM relay attack loopholes that remain.

This has steadily made it harder for attackers to trick Windows clients into talking to imposter authentication servers (the so-called “relays” in the attack) that could allow pasword hashes to be sniffed out, stolen and abused by attackers.

Ironically, one popular NTLM relay trick used in the past was to abuse the Microsoft Print System Remote Protocol (MS-RPRN) – what you could call a PrintNightmare of yesteryear.

As Lionel himself points out, however, “[using] MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins [in] most [organisations].”

His new proof-of-concept uses a similar attack (indeed, Lionel credits his code as “inspired by the previous work on MS-RPRN”), but abuses a different remote access protocol called MS-EFSRPC, short for Encrypting File System Remote Protocol.