EN
ENNA

PetitPotam

๐Ÿ”ฅ Offensive Ops ยท Python

PetitPotam is a tool that coerces Windows hosts into authenticating to an attacker-controlled server by abusing the Encrypting File System Remote Protocol (MS-EFSRPC). By sending specially crafted requests to the EfsRpcOpenFileRaw function (and similar EFS functions), PetitPotam forces the target machine to initiate an NTLM authentication to an arbitrary server specified by the attacker. When combined with NTLM relay attacks (via tools like ntlmrelayx from Impacket), this can be used to relay the authentication to Active Directory Certificate Services (AD CS) to obtain certificates, or to other services for privilege escalation. PetitPotam was a significant discovery because it works unauthenticated against domain controllers in many configurations, making it a critical vector for Active Directory domain compromise. Microsoft has issued patches, but many environments remain vulnerable.

2.2kstars
297forks
1issues
Updated 1y ago
View on GitHub

Installation

from source

$ git clone https://github.com/topotam/PetitPotam && cd PetitPotam && pip install impacket

Use Cases

  • Coercing domain controllers to authenticate for NTLM relay attacks
  • Relaying machine authentication to AD CS for certificate-based domain compromise
  • Testing Active Directory environments for NTLM relay vulnerabilities
  • Demonstrating unauthenticated domain compromise paths in penetration tests
  • Validating PetitPotam mitigations (EPA, NTLM relay protections) are effective

Tags

ntlm-relaycoercionactive-directoryefsrpcdomain-compromiseadcs

Details

Category
๐Ÿ”ฅ Offensive Ops
Language
Python
Platforms
๐Ÿงlinux๐ŸชŸwindows

Links

GitHub Repository

github.com/topotam/PetitPotam

Releases

github.com/topotam/PetitPotam/releases

Issues

github.com/topotam/PetitPotam/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Alternatives & Comparisons

Responder

Python

LLMNR/NBT-NS/mDNS poisoner and rogue authentication server. Captures NTLMv1/v2 hashes on the network.

Compare PetitPotam vs Responder

Impacket

Python

Collection of Python classes for working with network protocols. Essential for Windows/AD pentesting.

Compare PetitPotam vs Impacket

Coercer

Python

Automatically find and exploit Windows authentication coercion vulnerabilities. PetitPotam, PrinterBug, and more.

Compare PetitPotam vs Coercer

Whisker

C#

Shadow Credentials attack tool. Adds rogue Key Credentials to AD objects for Kerberos authentication without knowing passwords.

Compare PetitPotam vs Whisker

More in Offensive Ops

Mythic

Go

Collaborative, multi-platform C2 framework. Docker-based with web UI, multiple agent types, and plugin architecture.

c2red-teammulti-operator

Havoc

C/C++

Modern C2 framework. Qt-based GUI, BOF support, custom agents, and a Cobalt Strike-inspired workflow.

c2red-teamgui

Rubeus

C#

C# toolset for raw Kerberos interaction and abuse. AS-REP roasting, Kerberoasting, ticket manipulation, delegation attacks.

kerberosactive-directoryroasting

Certipy

Python

Active Directory Certificate Services (AD CS) abuse tool. Find and exploit certificate template misconfigurations.

active-directorycertificatesadcs

Coercer

Python

Automatically find and exploit Windows authentication coercion vulnerabilities. PetitPotam, PrinterBug, and more.

authentication-coercionntlm-relaypetitpotam

SharpHound

C#

Official BloodHound data collector. Enumerates Active Directory objects, sessions, ACLs, and trusts for graph analysis.

active-directoryenumerationbloodhound