Zerologon, Patch or Die!

Nacho Brihuega    14 October, 2020
Zerologon, Patch or Die!

Zerologon. If you are in the IT world and haven’t heard this name yet, you should be worried. Keep reading.

Zerologon is possibly the vulnerability of this “special” year and certainly of the last ones. It is one of those vulnerabilities that leaves no one indifferent. First of all, is this vulnerability that critical? Yes, yes and a thousand times yes. Personally, I would say that it is the most critical vulnerability I have known since I entered the cybersecurity world.

Let’s start from the beginning: Zerologon (CVE-2020-1472) was discovered in August 2020 by the company Secura, it was directly reported to Microsoft, who assigned a CVSS of 10.0 (out of 10, the highest possible criticality). Subsequently, on September 11, Secura published an advisory and a paper on the vulnerability, which included a tool to detect vulnerable machines. After this, numerous PoCs and tools have been published that allow the vulnerability to be exploited.

Why is this vulnerability so critical?

Because it allows any user (it doesn’t even require to be in the domain) with connectivity to the DC to reset the password of the admin domain. I encourage you to read the article written by hackplayers on this subject.

Zerologon Practical Analysis

Once we have seen the theory, let’s get in practice. To test the vulnerability, a DC has been created in a virtual machine, in my case the victim machine has the following IP: 192.168.0.21

First, once you have connectivity to the DC, you can use the Secura script to test whether the DC is vulnerable.

However, one of the parameters of the script is the hostname. For this, we can use nma:

Or you can use an SMB listing with Crackmapexec

And, as you can see by passing that parameter together with the IP, the script gives us as a result if the DC is vulnerable to Zerologon.

Once checked that it is in fact vulnerable, making use of this repository it has two scripts:

  • CVE-2020-14-72-exploit.py: allows the exploitation of the vulnerability to be automated.
  • Restorepassword.py allows to reset the password.

However, if we run it as it is, we will encounter this problem of impacket:

To solve this, we can choose from the following options:

Now running it again, it works:

Likewise, the author of Mimikatz has already updated the tool to take advantage of this vulnerability. In this link you can see the GIF he has prepared with the PoC

How can this functionality be used? By taking advantage of this resource we have the command like this:

secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'DOMAIN/DC_NETBIOS_NAME$@dc_ip_addr'

In our case:

Obtaining a list of all the hashes of the domain users

You could then either crack the hashes or use the Pass the Hash technique to authenticate yourself in DC. To do this, you can use pth-winexe o evil-winrm with the administrator hash:

To reset your password, you will need to use the z“restorepassword” script:

python restorepassword.py <DOMAIN><hostname>@<hostname> -target-ip IP -hexpass 54656d706f7………etc

or use this functionality.

zpython3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH

Remember to reset your password if you try it in an intrusion test.

And above all… Patch, patch, patch!

Recommendations

Identify vulnerable machines with the Secura check script and apply the patch:

References

Leave a Reply

Your email address will not be published. Required fields are marked *