killchain-compendium/Exploits/Windows/Zero Logon.md

58 lines
2.9 KiB
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# Zero Logon
[CVE-2020-1472](http://cve.circl.lu/cve/CVE-2020-1472)
## MS-NRPC (Microsoft NetLogon Remote Protocol)
* ComputeNetlogonCredential
* IV is `0` of AES-CFB8
* Machine accounts got no limit on failed login attempts (64 bit alnum password)
## Kill Chain
Zero Logon to bypass authentication on the Domain Controller's Machine Account -> Run `Secretsdump.py` to dump credentials -> Crack/Pass Domain Admin Hashes -> ??? -> Profit
## MS-NRPC Logon
* Netlogon handshake between Client (domain-joined computer) and Server (domain-controller).
* RPC traffic
```mermaid
sequenceDiagram
participant Client
participant Server
Client ->> Server: Client challenge
Server ->> Client: Server challenge, Session Key = KDF(secret, challenges)
Client ->> Server: Client credential, Encrypt(K_sess, client challenge)
Server ->> Client: Client credential, Encrypt(K_sess, client challenge)
Client ->> Server: Signed + sealed with session key: Procedure call with authenticator
```
* Zero Logon attack. Zeroing parameters and retrying handshakes with an empty password on the domain controller.
```mermaid
sequenceDiagram
participant Client
participant Server
Client ->> Server: NetrServerReqChallenge (challenge=0000...00)
Server ->> Client: Server Challenge
Client ->> Server: NetrServerAuthenticate3 (identity=DC; credential=0000...00; sign/seal=0)
Server ->> Client: OK
Client ->> Server: NetrServerPasswordSet2 (target=DC; authenticator=0000...00; timestamp=0; enc.password=0000...00)
```
1. Client sends 16 Bytes of `0` as Nonce to domain-controller
2. Server receives NetServerReqChallenge and generates challenge (Nonce). Sends it to the client.
3. __NetrServerAuthenticate3__ method is generated as NetLogon credentials. Contains the following
1. __Custom Binding Handle__
2. __Account Name__
3. __Secure Channel Type__, nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
4. __Computer Name__, Domain Controller DC01
5. __Client Credential String__, 16 Bytes of `\x00`
6. __Negotiation Flags__, value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura
4. NetrServerAuthenticate is received by server. Responds success if positive to the client.
5. If same values is calculated by the server, mutual agreement is confirmed by the client as well.
## PoC
* [Secura's PoC](https://github.com/SecuraBV/CVE-2020-1472)
* [NetrServerPasswordSet2](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/14b020a8-0bcf-4af5-ab72-cc92bc6b1d81)
* [NetServerAuthenticate3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9)
* [Authenticator](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/76c93227-942a-4687-ab9d-9d972ffabdab)
* [NETLOGON_CREDENTIALS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/d55e2632-7163-4f6c-b662-4b870e8cc1cd)