zerologon zafiyeti 1024x474 1

Understanding and Mitigating the Zerologon Vulnerability

Introduction to the Zerologon Vulnerability

In August 2020, Microsoft disclosed a critical security vulnerability, coded as CVE-2020-1472, affecting Domain Controller machines in Active Directory environments. This vulnerability, known as Zerologon, was given a CVSS score of 10 out of 10, indicating its severe impact. Exploiting the Zerologon vulnerability allows attackers to gain unauthorized access to Domain Controller machines, potentially leading to significant security breaches.

Understanding the Zerologon Exploit

The Zerologon vulnerability stems from a cryptographic flaw where a plain text composed of null bytes is encrypted, resulting in a cipher text also composed of null bytes. This flaw affects the Netlogon Remote Protocol (MS-NRPC), which is crucial for secure communication between workstations, servers, and Domain Controller machines in Active Directory environments.

The Netlogon Protocol

The Netlogon protocol is essential for maintaining secure channels within Active Directory. It ensures that every workstation or server joined to the Active Directory has a computer account with a known password. This password is used to derive several keys utilized in various authentication protocols like Kerberos and NTLM.

Exploiting the Zerologon Vulnerability

The Zerologon attack involves resetting the password of the Domain Controller’s computer account in Active Directory to a null string. This allows the attacker to authenticate with the Domain Controller using the reset credentials, thereby gaining high-level access. The Domain Controller, which performs authentication with elevated privileges, can synchronize Active Directory data using the DRSUAPI protocol. This synchronization includes NT hash values and Kerberos keys, which, if obtained by an attacker, can be used to impersonate any user in the domain or create forged Kerberos tickets.

Impact and Mitigation of Zerologon

When the password of the Domain Controller’s computer account is reset to a null string and the Domain Controller is rebooted, various services may fail to start. This failure occurs because the encrypted computer account password stored in the Domain Controller’s registry and the LSASS.exe file’s memory is not updated. To prevent this, penetration testing should include correcting the password information of the computer account in Active Directory after exploiting the Zerologon vulnerability.

Using ADZero for Exploitation

The Zerologon exploit module was optimized by the Privia Security team to develop a tool called ADZero. ADZero allows attackers to obtain a shell session with NT AUTHORITYSYSTEM privileges on a vulnerable Domain Controller machine. The tool requires only the IP address of the Domain Controller to execute the exploit.

Steps to Exploit Zerologon

  • SMB Login Request: ADZero sends an SMB Login request to the Domain Controller using the provided IP address.
  • Extracting Domain Information: The response to the SMB Login request contains the Domain Controller’s name and domain name.
  • Executing the Exploit: The exploit module is run using the Domain Controller’s IP address and the computer account name, which is the Domain Controller’s name followed by a ‘$’ symbol.
  • Resetting the Password: The password of the Domain Controller’s computer account is set to a null string, allowing the attacker to authenticate and gain access.

Post-Exploitation Activities

Once the Domain Controller’s computer account password is reset, attackers can use tools like Impacket’s secretdump.py to dump the Administrator user’s LM:NTLM hash information. This information can then be used with Impacket’s smbexec.py to obtain a shell on the Domain Controller. This technique, known as Pass-the-Hash, allows attackers to gain a shell session with NT AUTHORITYSYSTEM privileges.

Obtaining Meterpreter Session

The LM:NTLM hash information obtained can also be used to gain a Meterpreter session using the Metasploit Framework’s psexec exploit module. This module allows attackers to execute commands on the Domain Controller with elevated privileges.

Conclusion

The Zerologon vulnerability is a critical security flaw that requires immediate attention and mitigation. Understanding the exploit process and implementing robust security measures can help protect Active Directory environments from potential attacks. The ADZero tool, developed by Privia Security, highlights the ease with which this vulnerability can be exploited, underscoring the need for vigilant security practices.

For more information and to download the ADZero tool, visit the Privia Security GitHub repository.

Similar Posts