From 81c6de75b7ffd5ab7e33713c6f61698b0693b418 Mon Sep 17 00:00:00 2001 From: Shreya Date: Sun, 31 Jan 2021 20:19:01 +0530 Subject: [PATCH] Add Zerologon to documentation --- .../content/reference/exploiters/Zerologon.md | 26 +++++++++++++++++++ monkey/infection_monkey/exploit/zerologon.py | 4 --- .../definitions/exploiter_classes.py | 2 +- 3 files changed, 27 insertions(+), 5 deletions(-) create mode 100644 docs/content/reference/exploiters/Zerologon.md diff --git a/docs/content/reference/exploiters/Zerologon.md b/docs/content/reference/exploiters/Zerologon.md new file mode 100644 index 000000000..4a893142b --- /dev/null +++ b/docs/content/reference/exploiters/Zerologon.md @@ -0,0 +1,26 @@ +--- +title: "Zerologon" +date: 2021-01-31T19:46:12+05:30 +draft: false +tags: ["exploit", "windows"] +--- + +The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472). + +This exploiter is unsafe. +* It will temporarily change the target domain controller's password. +* It may break the target domain controller's communication with other systems in the network, affecting functionality. + +It is, therefore, **not** enabled by default. + + +### Description + +An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). + +To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472). + + +### Notes + +* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon). diff --git a/monkey/infection_monkey/exploit/zerologon.py b/monkey/infection_monkey/exploit/zerologon.py index 70888f54c..770118e04 100644 --- a/monkey/infection_monkey/exploit/zerologon.py +++ b/monkey/infection_monkey/exploit/zerologon.py @@ -578,10 +578,6 @@ class DumpSecrets: if self.__NTDS_hashes: self.__NTDS_hashes.finish() -# mention in report explicitly - machine exploited/not (return True, if yes) & password restored/not -# mention patching details in report -# add exploit info to documentation - # Adapted from https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py # Used to get HKLM keys for restoring original DC password diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py index 0d123ac49..f59b010d3 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -159,7 +159,7 @@ EXPLOITER_CLASSES = { "breaks communication with other domain controllers.) " "Exploits a privilege escalation vulnerability in a Windows server domain controller, " "using the Netlogon Remote Protocol (MS-NRPC).", - # "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/zerologon/" + "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/zerologon/" } ] }