Discover and read the best of Twitter Threads about #petitpotam
Most recents (5)
🧵 (1/x) Reanimating ADCSPwn thread (in a simple way) ⏬
You all know this great tool by @_batsec_, but unfortunately Microsoft broke it with one of those anti-PetitPotam patches a while ago ⏬
github.com/bats3c/ADCSPwn…
#lpe #adcs #petitpotam #webdav
You all know this great tool by @_batsec_, but unfortunately Microsoft broke it with one of those anti-PetitPotam patches a while ago ⏬
github.com/bats3c/ADCSPwn…
#lpe #adcs #petitpotam #webdav
🧵 (2/x) So that now the execution hangs like follows ⏬ 
🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬
I swear I couldn't find one place in the internet where #PetitPotam is explained in a way that I can truly understand it. So I'm dumping the attack flow here as a future reference for myself. If any of you finds it useful - good. If any of you wishes to add - comment. 1/7
The attack starts when an attacker, from her controlled machine, triggers a (possibly privileged) Windows host to authenticate to *her*. She does it by requesting EFS-RPC - Encrypted File System service - to open a remote file on her own machine. No domain creds are needed! 2/7
Technically speaking, the attacker invokes EfsRpcOpenFileRaw, specifying a file path that points to her remote machine:
'\\<attacker_address>\test\Settings.ini'
(from @topotam77's PoC
github.com/topotam/PetitP…)
This is basically the essence of #PetitPotam.
3/7
'\\<attacker_address>\test\Settings.ini'
(from @topotam77's PoC
github.com/topotam/PetitP…)
This is basically the essence of #PetitPotam.
3/7
Want to block [MS-EFSR] / #PetitPotam calls?🤔
Use RPC filters ! 🥳
put previous Tweet in a file: `block_efsr.txt` then:
> netsh -f block_efsr.txt
Just tested: it blocks remote connections & not local EFS usage
Thank you to @CraigKirby to remind us this RPC technology filter!
Use RPC filters ! 🥳
put previous Tweet in a file: `block_efsr.txt` then:
> netsh -f block_efsr.txt
Just tested: it blocks remote connections & not local EFS usage
Thank you to @CraigKirby to remind us this RPC technology filter!
this is the kind of post/statement that Microsoft could have done rather than focusing on the NTLM relay and how client should block it.
(does not change the fact that MS must fix the noauth part of MS-EFSR)
(does not change the fact that MS must fix the noauth part of MS-EFSR)
And I still really like it
I’d like to clarify my position on #Microsoft in general
Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.
I criticize Microsoft’s response to recent ..
Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.
I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.
There are still few but good reasons ..
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.
There are still few but good reasons ..
.. not to opt for the cloud.
I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.
I really hope that you continue the ..
I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.
I really hope that you continue the ..
AD CS HTTP endpoint not available to abuse ESC8 with #PetitPotam? WebDAV + NTLM relay to LDAP is an option (use the forward slash trick). WebDAV abuse comes with constraints, the largest being the WebClient service does not run by default on workstations/servers.
For local priv esc on workstations, you can start the WebClient service using a @tiraniddo trick: tiraniddo.dev/2015/03/starti…
Otherwise, a remote machine needs to have the WebClient service running. Servers do not support WebDAV by default: they must have the WebDAV Redirector role installed and the service needs to be started.
