14 DAY TRIAL // Microsoft responded fast with a fix for the PetitPotam attack, an attack technique that has the potential to force Windows remote systems to reveal password hashes, according to Threat Post.
This can be used to cause the system to crash after the password hashes have been revealed. Microsoft has recommended system administrators to avoid using the now-outdated Windows NT LAN Manager in order to avoid being targeted by an attack (NTLM).
The PetitPotam vulnerability is related to the Windows operating system and the exploitation of a remote access protocol known as Encrypting File System Remote Protocol (EFSR) (MS -EFSRPC).The protocol is meant to allow the access of encrypted distant data repositories by Windows systems. Simply put, it allows data management while implementing policies to control data access.
On Thursday, security researcher Gilles Lionel discovered the flaw for the first time and released the exploit code for the assault. On the following day, Microsoft issued a warning outlining mitigations for system protection that might be applied in the meantime.According to Lionel, a PetitPotam attack can play this comparable scenario. He demonstrated how an attack from PetitPotam may be linked to a Windows Active Directory Certificate Services (AD CS) exploit that delivers public key infrastructure (PKI) capability.
Hackers can easily decrypt hashed passwords in offline mode
According to the study, The PetitPotam PoC is a MITM attack against Microsoft's NTLM authentication system. Following this step, an attacker utilizes SMB to seek access to a remote system's MS-EFSRPC interface. The security researcher claims this causes the targeted machine to authenticate and provide its credentials via NTLM.
Because the NTLM protocol is unsuitable for authentication, hashed passwords can be easily read and cracked offline. Since 2010, NTLM has been criticized for being a poor authentication protocol. Microsoft advises that NTLM authentication be turned off on Windows domain controllers. For AD CS services, it additionally advises that the Extended Authentication Protection (EPA) option be used.
The software giant also stated that businesses that have enabled NTLM authentication in their domains and/or employed the “Certificate Enrollment Web Service” and “Certificate Authority Web Enrollment” are exposed to a PetitPotam attack.