Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/canciucostin/cve-2020-1472

CVE-2020-1472 - Zero Logon vulnerability Python implementation
https://github.com/canciucostin/cve-2020-1472

Last synced: 22 days ago
JSON representation

CVE-2020-1472 - Zero Logon vulnerability Python implementation

Host: GitHub
URL: https://github.com/canciucostin/cve-2020-1472
Owner: CanciuCostin
Created: 2020-09-16T07:25:22.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-09-16T08:39:06.000Z (over 4 years ago)
Last Synced: 2024-12-07T09:24:00.475Z (27 days ago)
Language: Python
Size: 8.79 KB
Stars: 2
Watchers: 2
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

![Python][python-shield]

# CVE-2020-1472

CVE-2020-1472 - Zero Logon vulnerability Python implementation

## Description

* A Python script which uses the Impacket library to test for CVE-2020-1472 - Zerologon vulnerability (credits to Secura research).
* The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
* Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized – meaning an attacker could control the deciphered text.
* "Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,” according to Secura researchers.

![Description](https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/15102209/microsoft-window-attack.png)

* The script attempts to perform Netlogon authentication bypass. The script will terminate when succesfully
performing the bypass.
* When a domain controller is patched, the script will stop after sending 2000 pairs of RPC calls (target is not vulnerable with a false negative chance of 0.04%).
* Note that by default this changes the password of the domain controller account. This allows to DCSync, but it also breaks communication with other DCs.
* More info and original research [here](https://www.secura.com/blog/zero-logon)

## Prerequisites

```
pip install impacket
```
or Download the impacket release [here](https://github.com/SecureAuthCorp/impacket/releases). Unpack it, and in the directory where you placed it, run:
```
pip install .
```

## Usage

Given a domain controller named `DC-NAME` with IP address `X.X.X.X`, run the script as follows:

python cve-2020-1472.py DC-NAME X.X.X.X

The DC name is the NetBIOS computer name. If this name is not correct, the script will fail with a
`STATUS_INVALID_COMPUTER_NAME` error.

[python-shield]: https://img.shields.io/badge/python-3.6-green