p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add Zerologon to documentation

This commit is contained in:
Shreya 2021-01-31 20:19:01 +05:30
parent 290385a8a0
commit 81c6de75b7
3 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/content/reference/exploiters/Zerologon.md Normal file
View File

@ -0,0 +1,26 @@
---
title: "Zerologon"
date: 2021-01-31T19:46:12+05:30
draft: false
tags: ["exploit", "windows"]
---
The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
This exploiter is unsafe.
* It will temporarily change the target domain controller's password.
* It may break the target domain controller's communication with other systems in the network, affecting functionality.
It is, therefore, **not** enabled by default.
### Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
### Notes
* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).

4
monkey/infection_monkey/exploit/zerologon.py
View File

@ -578,10 +578,6 @@ class DumpSecrets:
if self.__NTDS_hashes: if self.__NTDS_hashes:
self.__NTDS_hashes.finish() self.__NTDS_hashes.finish()
# mention in report explicitly - machine exploited/not (return True, if yes) & password restored/not
# mention patching details in report
# add exploit info to documentation
# Adapted from https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py # Adapted from https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
# Used to get HKLM keys for restoring original DC password # Used to get HKLM keys for restoring original DC password

2
monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
View File

@ -159,7 +159,7 @@ EXPLOITER_CLASSES = {
"breaks communication with other domain controllers.) " "breaks communication with other domain controllers.) "
"Exploits a privilege escalation vulnerability in a Windows server domain controller, " "Exploits a privilege escalation vulnerability in a Windows server domain controller, "
"using the Netlogon Remote Protocol (MS-NRPC).", "using the Netlogon Remote Protocol (MS-NRPC).",
# "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/zerologon/" "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/zerologon/"
} }
] ]
} }