First of all, thanks for your excellent research work.

I'm trying to reproduce it using a Windows Server 2012 R2 with no patches installed either automatically or manually.

I installed AD CS using all default options offered by the setup wizard.

When I invoke the Python script from your repo and cooperate it with ntlmrelayx from https://github.com/ExAndroidDev/impacket/tree/ntlmrelayx-adcs-attack , it just kept telling me HTTP 401 Unauthorized.

Since it's totally all default situation, I have no idea what's wrong with it to reproduce.

More information might be useful for debugging:

• Certificate can be requested via any other machine in the domain. DC itself also has a certificate. Any other machine also can request machine account certificate in GUI.
• Web Endpoint /certsrv will ask for human user credential, then it works as intended. But in this situation, machine account NTLM authentication seems not to work.
• If I replace ntlmrelayx with responder, I could successfully get a response and hash capture notice from responder, which means, at least, NTLM Relay part, works fine.

Thanks for your help in advance.

Regarding this KB https://attackerkb.com/topics/TEBmUAfeCs/cve-2021-36942?referrer=home
Microsoft patched the EFSRPC for another issue, now needing packet-level privacy.
Is this possible to integrate in PetitPotam?

Trying to exploit this in a live enironment I get:

[-] Connecting to ncacn_np:172.20.247.109[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
Something went wrong, check error status => EFSR SessionError: code: 0x7b - ERROR_INVALID_NAME - The filename, directory name, or volume label syntax is incorrect.

PetitPotam Version: 2ae559f
Impacket Version: impacket==0.9.22 (Kali Repos)
EDIT: Also tried with latest impacket release (0.9.23)

From what I can understand the target might have the patch applied, but as far as I understand that does not patch all possible functions. Petitpotam seems to fail when trying one of the alternatives (EfsRpcEncryptFileSrv).

Hello, my employer would like to use your code as a part of our penetration tests. Not to distribute, but use. Could you add an appropriate license to allow this OR at least provide a license to clarify your software usage? Thanks!

Hello,

Following the previous patch to force the use of Privacy Level AUthentication (#14), the Python script generate the following error:
Traceback (most recent call last): File "XXX/PetitPotam.py", line 448, in <module> main() File "XXX/PetitPotam.py", line 441, in main dce = plop.connect(username=options.username, password=options.password, domain=options.domain, lmhash=lmhash, nthash=nthash, target=options.target, pipe=options.pipe, doKerberos=options.k, dcHost=options.dc_ip, targetIp=options.target_ip) File "XXX/PetitPotam.py", line 353, in connect dce.set_auth_type(RPC_C_AUTHN_WINNT) NameError: name 'RPC_C_AUTHN_WINNT' is not defined

I think you need to add the following line to the imports:
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_WINNT

Hello,

I tried using the ntlmrelayx.exe that was provided in the repo but unfortunately it does not recognize the --adcs flag which I from my understanding is needed to exploit the ADCS - did I do something wrong or is the binary not working?