Microsoft has acknowledged a newly-discovered version of an attack on a long-vulnerable Windows single sign-on protocol called NTLM — short for New Technology LAN Manager — that is still used in the operating system as a backup to the newer Kerberos authentication protocol.
If successful, the attack, dubbed PetitPotam by the French researcher who discovered it, could allow the takeover of Windows domain controllers or servers.
It’s the latest in what Microsoft calls classic NTLM relay attacks.
To prevent a successful attack on networks with NTLM enabled, Microsoft said, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA), or features such as SMB (server message block) signing.
Microsoft said PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections from NTLM relay attacks. The mitigations outlined in its knowledge base document KB5005413 instruct admins on how to protect their AD CS servers from such attacks.
According to a post earlier this year by CrowdStrike, despite known vulnerabilities NTLM remains widely deployed even on new systems to maintain compatibility with legacy clients and servers. It was supplanted by Kerberos as the default authentication protocol in Windows 2000.
In an interview with the Bleeping Computer news site, the French researcher said PetitPotam isn’t a vulnerability, but an abuse of a Windows function.
One researcher who tested the proof-of-concept told Bleeping Computer that it is “quite brutal” and could lead to a full takeover of Active Directory.