Nacho Brihuega

Zerologon. If you are in the IT world and haven't heard this name yet, you should be worried. Keep reading. Zerologon is possibly the vulnerability of this "special" year and certainly of the last ones. It is one of those vulnerabilities that leaves no one indifferent. First of all, is this vulnerability that critical? Yes, yes and a thousand times yes. Personally, I would say that it is the most critical vulnerability I have known since I entered the cybersecurity world. Let's start from the beginning: Zerologon (CVE-2020-1472) was discovered in August 2020 by the company Secura, it was directly reported to Microsoft, who assigned a CVSS of 10.0 (out of 10, the highest possible criticality). Subsequently, on September 11, Secura published an advisory and a paper on the vulnerability, which included a tool to detect vulnerable machines. After this, numerous PoCs and tools have been published that allow the vulnerability to be exploited. Why is this vulnerability so critical? Because it allows any user (it doesn’t even require to be in the domain) with connectivity to the DC to reset the password of the admin domain. I encourage you to read the article written by hackplayers on this subject. Zerologon Practical Analysis Once we have seen the theory, let's get in practice. To test the vulnerability, a DC has been created in a virtual machine, in my case the victim machine has the following IP: 192.168.0.21 First, once you have connectivity to the DC, you can use the Secura script to test whether the DC is vulnerable. However, one of the parameters of the script is the hostname. For this, we can use nma: Or you can use an SMB listing with Crackmapexec And, as you can see by passing that parameter together with the IP, the script gives us as a result if the DC is vulnerable to Zerologon. Once checked that it is in fact vulnerable, making use of this repository it has two scripts: CVE-2020-14-72-exploit.py: allows the exploitation of the vulnerability to be automated. Restorepassword.py allows to reset the password. However, if we run it as it is, we will encounter this problem of impacket: To solve this, we can choose from the following options: Remove impacket and download the latest version (you can check this reference). Use a virtualenv (in this article from S4vitar you can check how to). Now running it again, it works: Likewise, the author of Mimikatz has already updated the tool to take advantage of this vulnerability. In this link you can see the GIF he has prepared with the PoC How can this functionality be used? By taking advantage of this resource we have the command like this: secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'DOMAIN/DC_NETBIOS_NAME$@dc_ip_addr' In our case: Obtaining a list of all the hashes of the domain users You could then either crack the hashes or use the Pass the Hash technique to authenticate yourself in DC. To do this, you can use pth-winexe o evil-winrm with the administrator hash: To reset your password, you will need to use the z“restorepassword” script: python restorepassword.py <DOMAIN><hostname>@<hostname> -target-ip IP -hexpass 54656d706f7………etc or use this functionality. zpython3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH Remember to reset your password if you try it in an intrusion test. And above all... Patch, patch, patch! Recommendations Identify vulnerable machines with the Secura check script and apply the patch: CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability CVE-2020-1472 Detail References [Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability Hacking Windows con Zerologon: Vulnerabilidad crítica que puede comprometer tu Domain Controller #Parchea (Spanish) Zerologon desatado: la vulnerabilidad que permite comprometer cualquier controlador de dominio de Windows fácilmente (Spanish) CCN-CERT AL 09/20 Vulnerabilidad crítica en Windows Server (Spanish)

Current IoT device search portals are widely known and used by the hacker community to make queries or to get a first picture of the services enabled in a pentesting. Due to the current situation of confinement, many organisations had to implement in a very short time the necessary infrastructure to guarantee that their employees could telework. Quickly, making use of these search engines, a high level of services enabled for this purpose was detected − most of them RDP. At the beginning of the confinement, there were 29,657. Ten hours later it increased to 29,835, and to this day (when this post was written) there are 34,753. The main cities where technological activity stands out. Bear in mind: no to public RDP, yes to VPN. This means that RDP services that may be vulnerable to BlueKeep are being released (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708) because the relevant security patches have not been applied. What Are the Implications of This? Since the beginning of the lockdown, a high number of phishing campaigns or file attachments containing malware that used the COVID-19 as bait have already been detected. In the end the same actors are always behind these threats. To detect peaks like these or to collect information from these search engines, we should not limit ourselves to one of them, but instead use as many as we can and compare the resulting data. Some search engines are: Shodan: https://www.shodan.io/ Censys: https://censys.io/ BinaryEdge: https://www.binaryedge.io/. We already talked about it here: https://empresas.blogthinkbig.com/binaryegde-portal-mas-que-un-buscador-de-activos/(Blog post only available in Spanish) Onyphe: https://www.onyphe.io/ The Heisenberg Script As automation is a must, we have collected a couple of scripts for each of the services and unified them into one that queries each service so we can quickly have a first look. I have called this script "Heisenberg", you can find it in my github. Below we let you some questions to understand the features of the script: What does it do? Getting open ports from Shodan, Censys, BinaryEdge and Onyphe services. What is its programming language? Python3. What do we need? Free API of these services. Can we export the results? Yes, in .xlsx. Having seen this, let’s move on to the use of the tool. Through the option h the help is displayed: As you can see, the script expects to receive the IP addresses in a .txt document via the -i parameter and the necessary APIs via the -a parameter. Regarding the file containing the APIs, below you can find an example of what the file would look like: An example as a proof of concept for its use is shown below: At the end of the program, the output is obtained: You have the option to export the results in Excel, with the result of the ports according to each service: Because of the current confinement situation, we would like to take advantage of the functionalities of these services to add some additional options such as an extra column including the summary of identified ports or to develop a database connector. We hope you liked it. See you in the next one.