Exploiting ZeroLogon! - Saiyan Pentesting

11Oct 2020 by admin

Greetings everyone!

In today’s post, we’ll be exploring the ZeroLogon vulnerability and demonstrating just how easy it is to exploit!

What Is It?

The ZeroLogon vulnerability, tracked as CVE-2020-1472, is an authentication bypass vulnerability, which allows for privilege escalation, in the Netlogon Remote Protocol (MS-NRPC), a remote procedure call (RPC) interface that Windows uses to authenticate users and computers on domain-based networks.

According to a blog post on Secura’s website, Zerologon takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.

This bug allows an attacker to manipulate the Netlogon authentication procedures and:

Impersonate the identity of any computer on a network when trying to authenticate against the domain controller
Disable security features in the Netlogon authentication process
Change a computer’s password on the Domain Controller’s Active Directory (a database of all computers joined to a domain, and their passwords)

Sources:

https://www.secura.com/blog/zero-logon

https://www.zdnet.com/article/zerologon-attack-lets-hackers-take-over-enterprise-networks/

https://www.trendmicro.com/en_ca/what-is/zerologon.html

Sounds pretty scary! Let’s try exploiting the vulnerability to see just how scary it really is!

I have a small virtual network setup, so we’ll attacking that for a proof of concept!

The Domain Controller in the lab has an IP of 192.168.192.148, has a hostname of Arceus01DC, and is part of the Pokemon.local domain. With that information, let’s fire up Kali and start attacking! I’ve already downloaded the exploit script from Github, so we’ll just need to be in the directory where it’s installed in order to fire off the exploit!

For the first step of the attack, we’ll be using the set_empty_pw.py script. All we’ll have to do is set the hostname of the DC that we’ll be attacking and its IP address:

This image has an empty alt attribute; its file name is image.png

Looks like the first step completed successfully! The DC will now have an empty string as its machine password. Now we can dump the hashes! Here we’ll need to specify the domain, DC hostname, and its IP address:

We know that the machine password will have an empty string, so on this prompt we can simply hit enter and not enter a password:

Look at all those hashes! Now for our third step, we’re going to grab that nice looking Administrator hash, and login with it using wmiexec!

We have a shell! We can verify who we are by using the whoami command:

We can also confirm we are actually on the DC:

There you have it folks! It’s really just that easy to take over a domain with the ZeroLogon vulnerability. Make sure your systems are patched!

Thanks for reading!