PetitPotam vs Whisker
GitHub Stats
About PetitPotam
PetitPotam is a tool that coerces Windows hosts into authenticating to an attacker-controlled server by abusing the Encrypting File System Remote Protocol (MS-EFSRPC). By sending specially crafted requests to the EfsRpcOpenFileRaw function (and similar EFS functions), PetitPotam forces the target machine to initiate an NTLM authentication to an arbitrary server specified by the attacker. When combined with NTLM relay attacks (via tools like ntlmrelayx from Impacket), this can be used to relay the authentication to Active Directory Certificate Services (AD CS) to obtain certificates, or to other services for privilege escalation. PetitPotam was a significant discovery because it works unauthenticated against domain controllers in many configurations, making it a critical vector for Active Directory domain compromise. Microsoft has issued patches, but many environments remain vulnerable.
About Whisker
Whisker is a C# tool for performing the Shadow Credentials attack against Active Directory. The attack exploits the msDS-KeyCredentialLink attribute introduced for Windows Hello for Business, which allows certificate-based authentication via Kerberos PKINIT. By adding a rogue Key Credential entry to a target user or computer's msDS-KeyCredentialLink attribute (which requires write access to the attribute), an attacker can then authenticate as that principal using the corresponding private key, without knowing or changing their password. This is stealthier than traditional credential attacks because it doesn't modify the password or trigger password change events. Whisker generates the key pair, adds the Key Credential to the target, and can be combined with Rubeus to request TGTs using the shadow credential. It's particularly effective when you have GenericWrite or GenericAll permissions over user or computer objects.
Platform Support
Tags
Shared
PetitPotam only
Whisker only