Zerologon: Instant Elevation to Domain Admin

Zerologon, also known as CVE-2020-1472, has taken the security world by storm the last several weeks. Initially discovered by researchers at Secura and detailed in a whitepaper released in mid-September, Zerologon, holding a 10/10 CVSS score, is the rare vulnerability that allows any attacker with internal connectivity to a domain controller to elevate to domain administrator access. No previous account compromise or credentials are required, just network access to the target DC.

Microsoft patched the Zerologon vulnerability in a Windows Server security update on August 11,  but organizations often take time to apply these updates, leaving themselves vulnerable to attack until they do so. To limit that exploitable window, the Department of Homeland Security’s cybersecurity division issued a rare emergency directive on September 18 requiring federal agencies to patch all domain controllers before September 21 or remove unpatched systems from the network.

So how does Zerologon work? The vulnerability lies in how Microsoft utilizes an initialization vector for a cryptography protocol (AES-CFB8) deployed by the Netlogon protocol run by domain controllers. Among functionality utilizing Netlogon is the procedure to change computer passwords. By sending Netlogon messages to a domain controller containing specially placed zeros, an attacker can connect to the domain controller, impersonate the domain controller itself, and set the domain controller’s machine account password to a null (zeroed) value. The attacker can then pillage secrets, including the password hashes for all Active Directory accounts, from the compromised domain controller by connecting to the DC with a null password.

Exploit Demonstration

Several proof-of-concept exploits for Zerologon have been released in the public domain since Secura’s whitepaper release. These exploits can be used by security researchers, penetration testers and attackers alike. Schneider Downs has tested one of them in our lab. The walkthrough below should demonstrate just how easy it is to take advantage of Zerologon. The code we used to test system vulnerability was released by Secura (available here) and the exploit code came from Dirk-jan Mollenma (available here).

Here’s how the process worked. Once connected to the target network, we checked the unpatched domain controller for vulnerability to Zerologon. This was done by passing two parameters to Secura’s Python script, the NetBIOS name of the target (RANDY) and its IP address.

Success! The script indicated that our target was vulnerable and that exploitation should be possible. The next step was to exploit the vulnerability using Dirk-jan’s exploit code, which set the target domain controller’s machine account password to a null value. We then passed the same two parameters to the exploit code.

Exploitation was a success, but we hadn’t obtained much yet. The real abuse came from using the null password to connect to the domain controller as itself and pillaging secrets stored on it, including password hashes for privileged domain accounts. For this, we used secretsdump.py from the open-source tool suite Impacket, then connected back to the compromised domain controller as itself using secretsdump, specifying that no password is needed with the -no-pass parameter.

Now we had serious compromise on our hands: the NTLM password hash for every domain account (blurred above). At this point, we’d elevated to domain administrator access, but it’s also important to note that we’d also severely broken the domain controller’s functionality by changing its machine account password. For this reason, it’s very risky to exploit Zerologon in a production environment without a foolproof restoration plan.

Hopefully that demonstration shows how easily public Zerologon exploits can be utilized. If you have any questions or are looking for guidance surrounding Zerologon, in applying the Microsoft patch to domain controllers or just general cybersecurity guidance, feel free to contact us at [email protected].

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected]. 

In addition, our Incident Response Team is available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident.