In August, Microsoft announced the release of a patch to address an attacker’s ability to establish a Netlogon secure channel to a domain controller via the Netlogon Remote Protocol (MS-NRPC) under CVE-2020-1472. Using a weak cryptographic algorithm in Netlogon’s authentication process, the attacker is able to achieve an elevation in privileges by impersonating any account desired and have control over all of Active Directory. Windows Server OSes from Server 2008 through 2019 are vulnerable to this attack and require an immediate update.
Dubbed Zerologon, this vulnerability is only partially patched today, with Microsoft admittedly only addressing how the secure RPC channel encryption is established, leaving the enforcement of the secured channel to be handled manually today and required in an update to be released in February of 2021.
Weaknesses in Microsoft’s cryptography are nothing new; the Curveball vulnerability from earlier this year took advantage of Windows crypt32.dll to create false certificates allowing for websites, applications, and systems to appear trusted. Curveball’s success put the attacker’s focus squarely on Microsoft’s cryptography, with Zerologon being indicative that additional vulnerability was found.
Microsoft isn’t alone in this; cryptography is strong but many implementations are weak. It’s hard to do cryptography right.
Mimikatz already has integrated support for Zerologon, making the exploitation of domain controllers and identifying easily compromised credentials an even easier task for attackers.
On Tuesday, November 3rd, Immersive Labs will join Ultimate Windows Security for a deep dive into this topic during the webinar, Anatomy of a Hack: Hands-on Red Teaming with the “Zerologon” Netlogon Elevation of Privilege Vulnerability with Mimikatz Integration.
Randy Franklin Smith of Ultimate Windows Security will discuss the details around the vulnerability, how it works, and what’s at risk. Not only that but our own Director of Cyber Threat Research, Kev Breen, will be totally hands-on and demonstrate how to use this attack in red teaming using the Immersive Labs platform.
In addition, Kev will discuss how to effectively perform blue team efforts, including:
- Detection of non-compliance devices
- Identification of denied connections (indicating a potential attempt)
- What details are available to respond to suspected attacks
This real training for free event will be jam packed with technical detail and real-world application. Register today!