PetitPotam vs Responder
GitHub Stats
About PetitPotam
PetitPotam is a tool that coerces Windows hosts into authenticating to an attacker-controlled server by abusing the Encrypting File System Remote Protocol (MS-EFSRPC). By sending specially crafted requests to the EfsRpcOpenFileRaw function (and similar EFS functions), PetitPotam forces the target machine to initiate an NTLM authentication to an arbitrary server specified by the attacker. When combined with NTLM relay attacks (via tools like ntlmrelayx from Impacket), this can be used to relay the authentication to Active Directory Certificate Services (AD CS) to obtain certificates, or to other services for privilege escalation. PetitPotam was a significant discovery because it works unauthenticated against domain controllers in many configurations, making it a critical vector for Active Directory domain compromise. Microsoft has issued patches, but many environments remain vulnerable.
About Responder
Responder is a network tool designed to poison LLMNR, NBT-NS, and mDNS protocols, capturing NTLMv1/v2 hashes from Windows environments. Written in Python, it acts as a rogue authentication server to intercept and capture credentials on the network. Responder's ability to exploit weaknesses in Windows name resolution protocols makes it a powerful tool for security professionals conducting network assessments and Active Directory penetration testing.
Platform Support
Tags
Shared
PetitPotam only
Responder only