How to Safely Test the Zerologon Vulnerability on Windows?

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On the 11th of August 2020, Microsoft released a security update [1], CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability, for a critical vulnerability within the Netlogon Remote Protocol (MS-NRPC) [2] in Windows Server operating systems, namely Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019. Since the exploit payload includes a string of zeros, the vulnerability is also known as “Zerologon”.

An attacker who successfully exploits the vulnerability could elevate their privileges to domain administrator and compromise the domain controller. Accordingly, this vulnerability has a “10.0 CRITICAL” CVSS 3.0 base score [3]. Note that only 3% of vulnerabilities last year had this score. Many vendors and organizations released announcements and directives about the vulnerability, including the US Cybersecurity and Infrastructure Security Agency (CISA) [4] and CERT-EU [5].

How to test CVE-2020-1472 on Windows?

On the 11th of September 2020, Secura released a testing tool [6] for the vulnerability. This tool is a Python script that attempts to perform the Netlogon authentication. It does not perform any Netlogon operation, including changing the Domain Administrator password, so it is safe to test the vulnerability. The testing script utilizes the Impacket library, but enterprise environments may prevent installing Python or Impacket for security concerns.

Accordingly, we built a packed version of the testing script using auto-py-to-exe that gathers all Python dependencies. We created a directory packed with all dependencies to run the testing script without installing Python.

We also wrote a PowerShell script to automatically extract and execute the zerologon_tester.exe file for the primary Domain Controller. This script uses:

  • the Domain.GetCurrentDomain method of PowerShell to get the domain object for the current user
  • the Domain.PdcRoleOwner.Name property to get the name of the primary domain controller (PDC) for this domain.
  • the Domain.PdcRoleOwner.IPAddress property to get the IP address of the PDC for this domain.

Thanks to the above codes, we don’t need to give DC a name or IP address for this script.

Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip
{
  param([string]$zipfile, [string]$outpath)
  [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}
$cur=(Get-Location).Path
Unzip $cur\zerologon_tester.zip $cur
$dcname=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name.split('.')[0]
$dcip=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.IPAddress
echo "[*] DC: $dcip ($dcname)"
cd $cur\zerologon_tester\
.\zerologon_tester.exe $dcname $dcip

Test Instructions

  • Copy both zerologon_tester.zip and zerologon_tester.ps1 files from Picus Labs’ GitHub page [7] into a computer in the domain controlled by the target Domain Controller.
  • Run the zerologon_tester.ps1 script on the PowerShell console:

PS C:\temp>.\zerologon_tester.ps1
[*] DC: 192.168.70.4 (DC1)
Performing authentication attempts...
============================================================================================
Success! DC can be fully compromised by a Zerologon attack.

Or run the script on the command shell:

C:\temp>powershell .\zerologon_tester.ps1
[*] DC: 192.168.70.4 (DC1)
Performing authentication attempts...
=========================================================================
Success! DC can be fully compromised by a Zerologon attack.

As a note, some antivirus engines may detect all exe files generated by Pyinstaller as a Trojan (10/59 detection rate by lesser-known antivirus products, as of today). 

Conclusion

If you want to test your network for this vulnerability on a Windows system without installing Python and its dependencies, you can use the above tool, which is based on Secura’s Python script.

Picus users have already tested the effectiveness of their security controls against the CVE-2020-1472 “Zerologon” Vulnerability with the following threat in the Picus Threat Library:

474540 Exploitation of Zerologon Vulnerability using Netlogon RPC

References

[1] “[No title].” [Online]. Available: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472. [Accessed: 21-Sep-2020]

[2] openspecs-office, “[MS-NRPC]: Netlogon Remote Protocol.” [Online]. Available: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f. [Accessed: 21-Sep-2020]

[3] “NVD - CVE-2020-1472.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2020-1472. [Accessed: 21-Sep-2020]

[4] “Emergency Directive 20-04.” [Online]. Available: https://cyber.dhs.gov/ed/20-04/. [Accessed: 21-Sep-2020]

[5] “[No title].” [Online]. Available: https://media.cert.europa.eu/static/SecurityAdvisories/2020/CERT-EU-SA2020-046.pdf. [Accessed: 21-Sep-2020]

[6] SecuraBV, “SecuraBV/CVE-2020-1472.” [Online]. Available: https://github.com/SecuraBV/CVE-2020-1472. [Accessed: 21-Sep-2020]

[7] picussecurity, “picussecurity/picuslabs.” [Online]. Available: https://github.com/picussecurity/picuslabs. [Accessed: 21-Sep-2020]