Hello, welcome to the Monday, July 26, 2021 edition of the Sand, Centres Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, the last couple of weeks, we had a print nightmare, we had Summer of Sam,

and last thing you probably need at this point is another serious

Windows vulnerability. Well I have bad news for you. Late on Friday a new tool was

released, petted pottom, I think that's how it is pronounced. Sorry if I got this

wrong and this tool uses one original vulnerability

but then also chains a number of other issues with Windows in order to gain full access

to a domain controller.

At the core of all of this is NTLM Reall.

Entimil Reallall attacks are well known and have been used for a while.

The trick here is that the attacker has a machine in the middle position and is able to

intercept credentials being sent.

And as the name implies, the attacker is reeling the credentials and in doing so impersonating

the users whose session has been intercepted.

Now while there are plenty of tools to actually conduct this attack, the problem has been,

how do I get the victim to actually initiate the connection?

And the new weakness being exploited here is that it's possible to trigger such a request

using Microsoft's encrypted file system remote protocol.

And to make things worse, no authentication is required to trigger the request.

And an attacker is able to trigger a request to an Active Directory certificate services,

and these requests are sent over HTTP, and they may use MTLM for authentication, making them ideal for relay attacks.

...