Domain Takeover with PetitPotam Exploit by Nairuz Abulhul


Petitpotam is a vulnerability that allows a domain user to take over domain controllers through triggering authentications using the MS-EFSRPC protocol. The vulnerability lies in the insufficient path checks in the EfsRpcOpenFileRaw function of the EFSRPC API that allows an attacker to pass any value in its fileName parameter, such as an attacker’s IP address, to coerce an authentication from the targeted hosts. Figure 1 — EfsRpcOpenFileRaw function in EFSRPC API In order for an attacker to take over the domain controller, they need to use this vulnerability with an NTLM relay attack to capture the required hashes or certificates. Great targets for this attack are the servers configured to accept NTLM authentications, such as Active Directory Certificate Services (AD CS), when the Web Enrollment roles are installed. A typical attack scenario would be forcing the domain controller to authenticate to the attacker machine that is configured with an NTLM relay.....

April 28, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.