Discover and read the best of Twitter Threads about #petitpotam

Most recents (5)

🧵 (1/x) Reanimating ADCSPwn thread (in a simple way) ⏬

You all know this great tool by @_batsec_, but unfortunately Microsoft broke it with one of those anti-PetitPotam patches a while ago ⏬

github.com/bats3c/ADCSPwn…

#lpe #adcs #petitpotam #webdav
🧵 (2/x) So that now the execution hangs like follows ⏬
🧵 (3/x) But guess what, there’s another super cool tool – Coercer (by @podalirius_) – which can be used to trigger the authentication with a different API that is not affected by the ad-hoc check provided in the patch ⏬
Read 5 tweets
I swear I couldn't find one place in the internet where #PetitPotam is explained in a way that I can truly understand it. So I'm dumping the attack flow here as a future reference for myself. If any of you finds it useful - good. If any of you wishes to add - comment. 1/7
The attack starts when an attacker, from her controlled machine, triggers a (possibly privileged) Windows host to authenticate to *her*. She does it by requesting EFS-RPC - Encrypted File System service - to open a remote file on her own machine. No domain creds are needed! 2/7
Technically speaking, the attacker invokes EfsRpcOpenFileRaw, specifying a file path that points to her remote machine:
'\\<attacker_address>\test\Settings.ini'
(from @topotam77's PoC
github.com/topotam/PetitP…)
This is basically the essence of #PetitPotam.
3/7
Read 8 tweets
Want to block [MS-EFSR] / #PetitPotam calls?🤔
Use RPC filters ! 🥳

put previous Tweet in a file: `block_efsr.txt` then:

> netsh -f block_efsr.txt

Just tested: it blocks remote connections & not local EFS usage

Thank you to @CraigKirby to remind us this RPC technology filter!
this is the kind of post/statement that Microsoft could have done rather than focusing on the NTLM relay and how client should block it.

(does not change the fact that MS must fix the noauth part of MS-EFSR)
And I still really like it
Read 3 tweets
I’d like to clarify my position on #Microsoft in general

Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.

I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.

There are still few but good reasons ..
.. not to opt for the cloud.

I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.

I really hope that you continue the ..
Read 4 tweets
AD CS HTTP endpoint not available to abuse ESC8 with #PetitPotam? WebDAV + NTLM relay to LDAP is an option (use the forward slash trick). WebDAV abuse comes with constraints, the largest being the WebClient service does not run by default on workstations/servers.
For local priv esc on workstations, you can start the WebClient service using a @tiraniddo trick: tiraniddo.dev/2015/03/starti…
Otherwise, a remote machine needs to have the WebClient service running. Servers do not support WebDAV by default: they must have the WebDAV Redirector role installed and the service needs to be started.
Read 7 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!