If you are one of few who are missing out on staying up to date with current vulnerabilities, than you may have not heard of the Zerologon vulnerability. This is a very interesting vulnerability due to an attacker being able to instantly become Domain Admin on a network with literally a tap of a few keys. The only requirement for the attacker is that they must have a foothold on the internal network.
According to a blog post from Secura, a security firm who offers multiple security services, explains that the vulnerability exists due to a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which can be used to update computer passwords. This flaw allows for the attacker to impersonate the Domain Controller itself and sets the password to a known value, blank in this case, so that the attacker can now login to the domain controller and become Domain Admin on the network.
Proof of Concept
The following are some prerequisites in order to perform the exploit on a vulnerable Domain Controller.
Vulnerable Domain Controller VM (I’m running a 2019 unpatched Server)
If you already have Impacket installed on your VM, than you more than likely will need to follow these steps to install a more updated version to run this exploit.
As you can see, in a matter of minutes we were able to become Domain Admin on a domain controller easily.
Mitigation
Microsoft has released and advised for users to update their domain Controllers with any patches after August 11, 2020. This patch will block Domain Controllers from using unsecure RPC communications. I’ve also seen some blog posts mention that Microsoft plans to release another path that will completely mitigate this vulnerability in Quarter 1 of 2021.
