Zero Logon TryHackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Zero Logon”

https://tryhackme.com/room/zer0logon

Room link: https://tryhackme.com/room/zer0logon
Note: This room is for Premium Members Only. who purchased THM premium membership.

Zero Logon — The Zero Day Angle

About The vulnerability -

On September 14, Secura released a whitepaper for CVE-2020–1472, that allowed an attacker to go from Zero to Domain Admin in approximately one minute. They dubbed this vulnerability Zero Logon.

Zero Logon is a purely statistics based attack that abuses a feature within MS-NRPC (Microsoft NetLogon Remote Protocol), MS-NRPC is a critical authentication component of Active Directory that handles authentication for User and Machine accounts. In short — the attack mainly focuses on a poor implementation of Cryptography. To be more specific, Microsoft chose to use AES-CFB8 for a function called ComputeNetlogonCredential, which is normally fine, except they had hard coded the Initialization Vector to use all zeros instead of a random string. When an attacker sends a message only containing zeros with the IV of zero, there is a 1-in-256 chance that the Ciphertext will be Zero.

But how is that useful to us? We’ll touch on that note in the following sections.

About Machine Accounts -

Normally, if we tried a statistics based attack on any user account, we would get locked out. This is not the case if we apply this principal to machine accounts. Machines accounts behave in a much different way than standard user accounts. They have no predefined account lockout attempts because a 64+ character alpha numeric password is normally used to secure them, making them very difficult to break into. They’re not meant to be accessed by an end user by any means. In certain circumstances, we can dump the machine account password using a tool like Mimikatz, but if we’re at that point, we’ve already compromised the machine — and we’re looking for persistence within the domain, not lateral movement.

Abusing the Vulnerability -

Machine accounts often hold system level privileges which we can use for a variety of things. If you’re not familiar with Active Directory, we can take the Domain Controller’s Machine Account and attempt to use the granted authentication in conjunction with Secretsdump.py (SecretsDump is a password dumping utility like Mimikatz, except it lives on the Network instead of the host) to dump all of the passwords within the domain. At this point we have a rough kill chain starting to form:

Use Zero Logon to bypass authentication on the Domain Controller’s Machine Account -> Run Secretsdump.py to dump credentials -> Crack/Pass Domain Admin Hashes -> ??? -> Profit

Analyzing the MS-NRPC Logon Process -

At this point, we know a vulnerability exists, but we’re not quite sure how to exploit it yet. We’ll be covering that soon, but what we do know there’s a vulnerability within the way Microsoft handles Authentication within ComputeNetLogonCredetial function of MS-NRPC. To better understand the vulnerability, we need to do a bit of a deeper dive on how Microsoft handles authentication to NRPC.

To analyze where the vulnerability occurs, we’ll be using the Diagram provided by Secura as well as Microsoft Documentation to decipher the magic behind Zero Logon. The sources can be found at the bottom of this task.

https://tryhackme.com/room/zer0logon

Source: Secura

Step 1. The client creates a NetrServerReqChallenge and sends it off [Figure 1. Step 1]. This contains the following values:

1. The DC

2. The Target Device (Also the DC, in our case)

3. A Nonce (In our case is 16 Bytes of Zero).

Step 2. The server receives the NetrServerReqChallenge, the server will then generate it’s own Nonce (This is called the Server Challenge), the server will send the Server Challenge back. [Figure 1. Step 2]

Step 3. The client (us) will compute it’s NetLogon Credentials with the Server Challenge provided [Figure 1. Step 3]. It uses the NetrServerAuthenticate3 method which requires the following parameters:

1. A Custom Binding Handle (Impacket handles this for us, it’s negotiated prior)

2. An Account Name (The Domain Controller’s machine account name. ex: DC01$)

3. A Secure Channel Type (Impacket sort of handles this for us, but we still need to specify it: [nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel])

4. The Computer Name (The Domain Controller ex: DC01)

5. The Client Credential String (this will be 8 hextets of \x00 [16 Bytes of Zero])

6. Negotiation Flags (The following value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura)

Step 4. The server will receive the NetrServerAuthenticate request and will compute the same request itself using it’s known, good values. If the results are good, the server will send the required info back to the client. [Figure 1. Step 4.]

At this point the attempt to exploit the Zero Logon vulnerability is under way. The above steps above will be looped through a certain number of times to attempt to exploit the Zero Logon vulnerability. The actual exploit occurs at Step 3 and 4, this where we’re hoping for the Server to a have the same computations as the client. This is where are 1-in-256 chance comes in.

Step 5. If the server calculates the same value, the client will re-verify and once mutual agreement is confirmed, they will agree on a session key. The session key will be used to encrypt communications between the client and the server, which means authentication is successful. [Figure 1. Step 5]

From there, normal RPC communications can occur.

Sources -

1. Tom Tervoort of Secura — https://www.secura.com/pathtoimg.php?id=2055

1. Microsoft — https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/7b9e31d1-670e-4fc5-ad54-9ffff50755f9

2. Microsoft — https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9

Impacket Installation

python3 -m pip install virtualenv
python3 -m virtualenv impacketEnv
source impacketEnv/bin/activate
pip install git+https://github.com/SecureAuthCorp/impacket

NetrServerAuthenticate3 and NetrServerPasswordSet2

https://raw.githubusercontent.com/Sq00ky/Zero-Logon-Exploit/master/zeroLogon-NullPass.py

Question 1. What method will allow us to change Passwords over NRPC?

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/14b020a8-0bcf-4af5-ab72-cc92bc6b1d81

Answer: NetrServerPasswordSet2

Question 2. What are the required fields for the method per the Microsoft Documentation?

Answer: PrimaryName,AccountName,SecureChannelType,ComputerName,Authenticator,ReturnAuthenticator,ClearNewPassword

Task 4. Lab It Up

nmap -sV -sC 10.10.44.120

Question 1. What is the NetBIOS name of the Domain Controller?

Answer: DC01

Question 2. What is the NetBIOS domain name of the network?

Answer: hololive

Question 3. What domain are you attacking?

Answer: hololive.local

Question 4. What is the Local Administrator’s NTLM hash?

Question 5. How many Domain Admin accounts are there?

Answer: 2

Question 6. What is the root flag?

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

Ra 2 TryHackme Walkthrough

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!