Exploitation - Domain Controllers CVE
RCE on exposed Windows services
The services exposed by the Domain Controllers may be vulnerable to well known critical vulnerabilities that can be leveraged to remotely execute code on a vulnerable Domain Controller.
The following vulnerabilities are worth mentioning:
EternalBlue
/ MS17-010
SMB
: TCP Port 445
March 14, 2017
[L7] 445 SMB
BlueKeep
/ CVE-2019-0708
Terminal Services
: TCP port 3389
May 13, 2019
Vulnerable operating systems:
<= Windows 2008 / 2008 R2
<= Windows 7
[L7] 3389 RDP
(Likely patched) MS14-068
MS14-068
is a vulnerability that lies in the Microsoft implementation of the Kerberos
protocol. A problem in the verification of the Privilege Attribute Certificate (PAC)
in a Kerberos
service ticket
request allows any domain user may to forge a PAC
with arbitrary privileges.
The Metasploit
's ms14_068_kerberos_checksum
module can be used to request a kerberos
Ticket-Granting Ticket (TGT)
with a forged PAC
. The TGT
is exported by the module is the credential cache (ccache)
format. Refer to the [ActiveDirectory] Kerberos tickets usage
for more information on how to use the Kerberos
ticket from Windows and Linux operating systems.
ZeroLogon - CVE-2020-1472
ZeroLogon
is a critical security flaw (CVSS
score: 10.0) in the Active Directory Netlogon Remote Protocol
MSRPC
protocol (MS-NRPC
).
As stated in the original research publication: "The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol
, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf."
Knowledge of the targeted Domain Controller (DC
) machine account password can notably be leveraged to conduct DCSync
attacks.
However, resetting the DC
machine account password through this attack will break communications with others Domain Controllers
and make the DC
misbehave in undefined ways. As the password is only updated in the Active Directory ntds.dit
database, the previous DC
machine account password can be retrieved in the HKLM\Security
hive (HKLM\SECURITY\Policy\Secrets\ $machine.ACC
) of the DC
and restored.
Exploitation in Python - Impacket update
For exploit code using impacket
, the library must be updated to, at least, the version published on September 15th 2020
(update to the dcerpc.v5.nrpc
library). In order to do so, a Python virtualenv
can be created or the system-wide impacket
installation updated:
Alternatively, static standalone binaries (embedding impacket
) for Windows and Linux (both x64) are available in the following GitHub repository: https://github.com/Qazeer/dirkjanm_CVE-2020-1472_static_binaries
.
0. Detection
Multiple tools may be used to detect if the Domain Controllers are vulnerable to the ZeroLogon
vulnerability.
PingCastle
's zerologon
scanner presents the advantage of automatically enumerating the Domain Controllers through AD requests and conduct scan for all the enumerated Domain Controllers. It however can only be executed from a machine integrated in the targeted Active Directory domain.
1. DC machine account password reset
Multiple tools may be used to exploit the ZeroLogon
vulnerability to set an empty password for the targeted DC
machine account.
2. Empty password DCSync
Impacket
's secretsdump
or mimikatz
may be used to conduct replication operations (DCSync
) using the DC
machine account with an empty password.
3. DC machine account password restoration
Remote access to the HKLM\SECURITY
registry hive requires Domain Admin
privileges. Access conducted using the DC machine account thus result in access denied error (rpc_s_access_denied
). The extraction of the DC
plaintext machine password from the HKLM\SECURITY
registry hive must be done using of the Domain Admin
accounts compromised during the previous DCSync
attack.
Impacket
's secretsdump.py
Python script can be used to remotely extract the DC
machine account secrets from the HKLM\SECURITY
registry hive. A version post the 15th 2020 update should be used as it will automatically dump the plaintext machine password hex encoded required for the restoration (using dirkjanm's restorepassword.py
Python script and the Metasploit
's cve_2020_1472_zerologon
module).
Alternatively, remote code execution using Domain Admin
or Operators
credentials can be leveraged to retrieve the HKLM\SAM
, HKLM\SECURITY
, and HKLM\SYSTEM
registry hives from the DC
and Impacket
's secretsdump.py
Python script used to locally extract the DC machine password from the hives. Refer to the [Windows] Lateral movements
and [Windows] Post exploitation
notes for more information.
CVE-2021-42278 and CVE-2021-42287
The combination of the CVE-2021-42278
and CVE-2021-42287
vulnerabilities allow any domain authenticated user to impersonate another (potentially privileged) domain user. The security updates to address both vulnerabilities were released in mid-November 2021.
The CVE-2021-42278
vulnerability is based on the fact that computer account sAMAccountName
restriction are not properly enforced, and a computer account with a non "$" ending name can be created in the domain. The CVE-2021-42287
vulnerability is an improper validation by the Kerberos Key Distribution Center (KDC)
of the user requesting a Service Ticket (ST)
(using a Ticket-Granting Ticket (TGT)
). The KDC
will indeed automatically perform a lookup for the account appended with a "$" if the account the TGT
was emitted to is not found. By combining both vulnerabilities, it is possible to ultimately obtain a S4U2self
ticket impersonating an arbitrary user for a Domain Controller service.
The exploitation steps are as follow:
Creation of a machine account (optional if a computer account is already compromised. The exploit will require modification of the machine account's
sAMAccountName
andservicePrincipalName
attributes).Clearing of the
servicePrincipalNames (SPNs)
of the created / controlled machine account. Clearing theSPN
attribute is required, as the renaming operation below would otherwise fail. Change to thesAMAccountName
attribute are indeed propagated to theSPN
attribute, and a conflict with the Domain Controller already existingSPNs
would arise (asSPNs
must be unique in the domain).Renaming the created / controlled machine account's
sAMAccountName
to a Domain Controller machine account, except for the trailing "$" (CVE-2021-42278
). ExamplesAMAccountName
:DC01
.Requesting a
TGT
for the created / controlled machine account.Restoring of the created / controlled machine account
sAMAccountName
.Requesting a
S4U2self
ticket using the retrievedTGT
to get aService Ticket (ST)
impersonating an arbitrary user to the Domain Controller. Upon reception of theTGT
, theKDC
will perform a lookup for the account using thesAMAccountName
defined in theTGT
(DC01
in the example). As an account with suchsAMAccountName
no longer exist in the domain, theKDC
will automatically lookup for the account appended with a "$" (DC01$
in the example), and encrypt theST
with a secret of that account. As theKDC
incorrectly assume that theTGT
was for the Domain Controller machine account (CVE-2021-42287
), theS4U2self
ticket request is fulfilled. TheS4U2self
ticket allows impersonation of an ("impersonatable") user to the Domain Controller services (LDAP
,CIFS
, etc.). For more information on theS4U2self
mechanism, refer to the[ActiveDirectory] Kerberos delegations
note.The
ST
obtained can be used to access the Domain Controller, for instance to remotely execute code (CIFS
SPN
) or replication operations (LDAP
SPN
).
The attack can be performed automatically using the noPac Python script (standalone compiled versions):
The attack can also be performed manually using the Powermad and the RSAT
's ActiveDirectory
PowerShell modules and Rubeus
:
References
https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
Last updated