The Power of Coercion Techniques in Windows Environments
Coercion techniques, such as PetitPotam or Printer Bug have been around for some time now. Surprisingly, many people believe that these techniques have been fixed and are no longer exploitable. In this presentation, I will demonstrate how these techniques can still be used to take over systems in a Windows environment. Coercion techniques like PetitPotam or Printer Bug do not have a lot of impact on their own. Essentially, they command a machine to connect to another IP address. Although Windows Authentication protocols are flawed, they are not flawed to the extent that this alone can result in the takeover of a system. This is likely why such “vulnerabilities” remain largely unfixed. However, these techniques can be used to exploit other vulnerabilities or misconfigurations. One well-known example is the Active Directory Certificate Service. PetitPotam in combination with a poorly configured Active Directory Certificate Service can allow an attacker to easily take over an entire Windows Domain. Microsoft has now provided guidance on how to configure the environment to prevent falling victim to this attack. Although a patch has been released, the PetitPotam coercion technique is still effective, albeit slightly more challenging to execute. The primary focus of this presentation will be the usage of coercion techniques in combination with lesser-known misconfigurations and how to prevent them. Even if no misconfigured Active Directory Certificate Service exists in an Active Directory, there are still some common misconfigurations that can be exploited using coercion techniques. Fortunately, the countermeasures against these attacks are relatively straightforward and well-known. It is highly probable that they were already suggested in a penetration test report. The intention of this presentation is also to provide additional justification for fixing these issues once and for all.
About the Speaker
Martin Grottenthaler has been working as a Security Consultant for SBA Research in Vienna for over 5 years now, with a primary focus on securing internal networks. In practice this means Windows and Active Directory. In my role, I primarily perform penetration testing and red teaming, as well as providing training on Windows security.