Diego Martín Moreno Blockchain technology In the previous article we talked about the basic concepts of the blockchain, and now we will focus on the current technologies to implement a blockchain solution. Blockchain and Smart...
Florence Broderick Big Dating: Could AI be the real matchmaker on Tinder? Online dating platforms such as Tinder, Happn and Hinge are seeing exponential growth, slowly sliding on to the home screens of smartphone users all over the world. Last week...
Cascajo Sastre María 5 ways the IoT is helping the Environment The United Nations uses World Environment Day every year to create awareness regarding pressing environmental issues. This year the topic is “Time for Nature“. We will see how even...
Beatriz Sanz Baños Superpowers for everyone Tony Stark (Ironman): The number 1 IoT fan Ironman is quite probably the Avenger who has made the most of technology. His main weapon is his high level of intelligence, which, throughout...
Gabriel Bergel Risk Analysis Applied to COVID-19 Our CSA Gabriel Bergel shows you how to apply the Risk Analysis methodology to the management of the COVID-19 threat.
ElevenPaths ElevenPaths is a Fortinet’s Alliance Technology Partner Solutions Integration with Vamps and Metashield Fortinet is a Strategic Partner of ElevenPaths, Telefónica Cyber Security unit, with more than 15 years working together, and on June 2016, we strengthened...
Zerologon, Patch or Die!Nacho Brihuega 14 October, 2020 Zerologon. If you are in the IT world and haven’t heard this name yet, you should be worried. Keep reading. Zerologon is possibly the vulnerability of this “special” year and certainly of the last ones. It is one of those vulnerabilities that leaves no one indifferent. First of all, is this vulnerability that critical? Yes, yes and a thousand times yes. Personally, I would say that it is the most critical vulnerability I have known since I entered the cybersecurity world. Let’s start from the beginning: Zerologon (CVE-2020-1472) was discovered in August 2020 by the company Secura, it was directly reported to Microsoft, who assigned a CVSS of 10.0 (out of 10, the highest possible criticality). Subsequently, on September 11, Secura published an advisory and a paper on the vulnerability, which included a tool to detect vulnerable machines. After this, numerous PoCs and tools have been published that allow the vulnerability to be exploited. Why is this vulnerability so critical? Because it allows any user (it doesn’t even require to be in the domain) with connectivity to the DC to reset the password of the admin domain. I encourage you to read the article written by hackplayers on this subject. Zerologon Practical Analysis Once we have seen the theory, let’s get in practice. To test the vulnerability, a DC has been created in a virtual machine, in my case the victim machine has the following IP: 192.168.0.21 First, once you have connectivity to the DC, you can use the Secura script to test whether the DC is vulnerable. However, one of the parameters of the script is the hostname. For this, we can use nma: Or you can use an SMB listing with Crackmapexec And, as you can see by passing that parameter together with the IP, the script gives us as a result if the DC is vulnerable to Zerologon. Once checked that it is in fact vulnerable, making use of this repository it has two scripts: CVE-2020-14-72-exploit.py: allows the exploitation of the vulnerability to be automated.Restorepassword.py allows to reset the password. However, if we run it as it is, we will encounter this problem of impacket: To solve this, we can choose from the following options: Remove impacket and download the latest version (you can check this reference).Use a virtualenv (in this article from S4vitar you can check how to). Now running it again, it works: Likewise, the author of Mimikatz has already updated the tool to take advantage of this vulnerability. In this link you can see the GIF he has prepared with the PoC How can this functionality be used? By taking advantage of this resource we have the command like this: secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'DOMAIN/DC_NETBIOS_NAME$@dc_ip_addr' In our case: Obtaining a list of all the hashes of the domain users You could then either crack the hashes or use the Pass the Hash technique to authenticate yourself in DC. To do this, you can use pth-winexe o evil-winrm with the administrator hash: To reset your password, you will need to use the z“restorepassword” script: python restorepassword.py <DOMAIN><hostname>@<hostname> -target-ip IP -hexpass 54656d706f7………etc or use this functionality. zpython3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH Remember to reset your password if you try it in an intrusion test. And above all… Patch, patch, patch! Recommendations Identify vulnerable machines with the Secura check script and apply the patch: CVE-2020-1472 | Netlogon Elevation of Privilege VulnerabilityCVE-2020-1472 Detail References [Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)CVE-2020-1472 | Netlogon Elevation of Privilege VulnerabilityHacking Windows con Zerologon: Vulnerabilidad crítica que puede comprometer tu Domain Controller #Parchea (Spanish)Zerologon desatado: la vulnerabilidad que permite comprometer cualquier controlador de dominio de Windows fácilmente (Spanish)CCN-CERT AL 09/20 Vulnerabilidad crítica en Windows Server (Spanish) The Future of Digital Signatures to Protect Your Money Lies in Threshold CryptographyThinking About Attacks on WAFs Based on Machine Learning
Carlos Ávila IoTM Mobile Applications and The Relevance Of Their Security Almost a year ago in the article “Internet of Health“ I described how incredible is the amount of applications and devices that the medical industry has deployed and will...
ElevenPaths DevSecOps: 7 Key Factors for Implementing Security in Devops DevSecOps, also known as SecDevOps, is a software development philosophy that advocates the adoption of security throughout the software development lifecycle (SDLC). DevSecOps is more than just a specific...
Antonio Gil Moyano Security in video call applications: Microsoft Teams, Zoom and Google Meet There is no doubt that instant messaging programmes have become an essential communication tool in our personal and professional lives. There is also no doubt that video calling applications,...
ElevenPaths Cyber Security Weekly Briefing June 5-11 Microsoft’s monthly bulletin Microsoft has released its June security bulletin, which fixes 50 vulnerabilities, including remote code execution (RCE) flaws, denial of service issues, privilege escalation and memory corruption issues....
ElevenPaths When I grow up I want to be… Engineer “What do you want to be when you grow up? A classic. So simple, yet so complex, and curiously so often asked when we are just kids… when perhaps...
Innovation and Laboratory Area in ElevenPaths We Are Taking Part in The Arsenal Black Hat USA 2021: Hybrid Pandemic Mode On Once again, the ElevenPaths Innovation and Lab team is taking part in the Black Hat USA 2021 Arsenal in Las Vegas to share a new open-source tool with the...
