In August, Microsoft announced the release of a patch to address an attacker’s ability to establish a Netlogon secure channel to a domain controller via the Netlogon Remote Protocol (MS-NRPC) under CVE-2020-1472. Using a weak cryptographic algorithm in Netlogon’s authentication process, the attacker is able to achieve an elevation in privileges by impersonating any account desired and have control over all of Active Directory. Windows Server OSes from Server 2008 through 2019 are vulnerable to this attack and require an immediate update.
Dubbed Zerologon, this vulnerability is only partially patched today, with Microsoft admittedly only addressing how the secure RPC channel encryption is established, leaving the enforcement of the secured channel to be handled manually today and required in an update to be released in February of 2021.
Weaknesses in Microsoft’s cryptography are nothing new; the Curveball vulnerability from earlier this year took advantage of Windows crypt32.dll to create false certificates allowing for websites, applications, and systems to appear trusted. Curveball’s success put the attacker’s focus squarely on Microsoft’s cryptography, with Zerologon being indicative that additional vulnerability was found.
Microsoft isn’t alone in this; cryptography is strong but many implementations are weak. It’s hard to do cryptography right.
Mimikatz already has integrated support for Zerologon, making the exploitation of domain controllers and identifying easily compromised credentials an even easier task for attackers.
In this Anatomy of a Hack session, I’ll discuss the details around the vulnerability, how it works, and what’s at risk.
We’re going totally hands-on and live with this one! The extremely smart Kevin Breen, Director Cyber Threat Research at Immersive Labs, will demonstrate how to use this attack in red teaming, using their hands-on training platform.
He’ll also discuss how to effectively perform blue team efforts, including:
- Detection of non-compliance devices
- Identification of denied connections (indicating a potential attempt)
- What details are available to respond to suspected attacks
This real training for free event will be jam packed with technical detail and real-world application. Register today!