killchain-compendium/Exploits/Windows/Zero Logon.md

2.9 KiB

Zero Logon

CVE-2020-1472

MS-NRPC (Microsoft NetLogon Remote Protocol)

  • ComputeNetlogonCredential
  • IV is 0 of AES-CFB8
  • Machine accounts got no limit on failed login attempts (64 bit alnum password)

Kill Chain

Zero Logon to bypass authentication on the Domain Controller's Machine Account -> Run Secretsdump.py to dump credentials -> Crack/Pass Domain Admin Hashes -> ??? -> Profit

MS-NRPC Logon

  • Netlogon handshake between Client (domain-joined computer) and Server (domain-controller).
  • RPC traffic
sequenceDiagram
    participant Client
    participant Server
Client ->> Server: Client challenge
Server ->> Client: Server challenge, Session Key = KDF(secret, challenges)
Client ->> Server: Client credential, Encrypt(K_sess, client challenge)
Server ->> Client: Client credential, Encrypt(K_sess, client challenge)
Client ->> Server: Signed + sealed with session key: Procedure call with authenticator
  • Zero Logon attack. Zeroing parameters and retrying handshakes with an empty password on the domain controller.
sequenceDiagram
    participant Client
    participant Server
Client ->> Server: NetrServerReqChallenge (challenge=0000...00)
Server ->> Client: Server Challenge
Client ->> Server: NetrServerAuthenticate3 (identity=DC; credential=0000...00; sign/seal=0)
Server ->> Client: OK
Client ->> Server: NetrServerPasswordSet2 (target=DC; authenticator=0000...00; timestamp=0; enc.password=0000...00)
  1. Client sends 16 Bytes of 0 as Nonce to domain-controller

  2. Server receives NetServerReqChallenge and generates challenge (Nonce). Sends it to the client.

  3. NetrServerAuthenticate3 method is generated as NetLogon credentials. Contains the following

    1. Custom Binding Handle
    2. Account Name
    3. Secure Channel Type, nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
    4. Computer Name, Domain Controller DC01
    5. Client Credential String, 16 Bytes of \x00
    6. Negotiation Flags, value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura
  4. NetrServerAuthenticate is received by server. Responds success if positive to the client.

  5. If same values is calculated by the server, mutual agreement is confirmed by the client as well.

PoC