[SECURITY ALERT] Zerologon Exploitation

Written by Joe Helle, Security Engineer

 

Introduction 

In August 2020, Microsoft released the first of two parts of a critical security patch for CVE 2020-1472 that allows an attacker to exploit a vulnerability in Netlogon to gain access to privileged domain accounts.

The vulnerability exists due to poor cryptographic mechanisms in MS-NRPC authentication, where the initialization vector was coded to use all zeros rather than random strings. Using this in the NRPC handshake process, along with other factors, an attacker is able to change a computer’s Active Directory password, allowing for password hashes to be dumped from the controller, and used in attacks such as pass-the-hash attacks. 

 

Zerologon In Use 

Using publicly available and easy to use tools, an attacker can abuse this vulnerability against a targeted Domain Controller, allowing the complete takeover of any account listed in the domain.

This includes administrator, user, and service accounts. Once an attacker has access, they can manage or manipulate the domain, including the creation or deletion of accounts, services, modification of domain DNS through poisoning, and much more.

Critical organizational infrastructure is at risk of denial or deletion of service, theft of customer, client, or patient personally identifiable information (PII), as well as sustained malicious persistence on the domain itself. The vulnerability is especially susceptible to insider attacks as it requires an attacker to have access to the domain controller itself.   

To conduct the exploit, the attacker needs to simply have a Zerologon exploit such as the one found here, as well as a current version of the Impacket toolkit, and specifically Secretsdump.py. Executing the exploit is simple, and once successful the attacker can authenticate to the domain as the actual domain controller, and dump all available user hashes. To cover their tracks, the attacker can run Reset-ComputerMachinePassword to recover the computer password, and simply utilize the hash dump for continued access.

 

Mitigation

Current mitigation requires organizations to institute the Microsoft Security Patch released on August 11th, 2020. Application whitelisting within the domain may also be an additional measure, as well as network segmentation between joined and non-joined workstations and endpoints.

Microsoft will release the enforcement patch for this vulnerability in February 2021, in which all machines on the domain must be secured or they will be restricted from access until doing so. 

Use the form below to request a vulnerability scan to determine if your environment is at risk for this exploit.

 

Video Walkthrough

 

References

Secura Zerologon Whitepaper

Microsoft Support Documentation

Microsoft Security Update Guide