Add Zerologon to documentation

2021-01-31 20:19:01 +05:30 · 2021-01-31 20:19:01 +05:30 · 81c6de75b7
parent 290385a8a0
commit 81c6de75b7
3 changed files with 27 additions and 5 deletions
--- a/docs/content/reference/exploiters/Zerologon.md
+++ b/docs/content/reference/exploiters/Zerologon.md
@ -0,0 +1,26 @@
+---
+title: "Zerologon"
+date: 2021-01-31T19:46:12+05:30
+draft: false
+tags: ["exploit", "windows"]
+---
+
+The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
+
+This exploiter is unsafe.
+* It will temporarily change the target domain controller's password.
+* It may break the target domain controller's communication with other systems in the network, affecting functionality.
+
+It is, therefore, **not** enabled by default.
+
+
+### Description
+
+An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
+
+To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
+
+
+### Notes
+
+* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).
--- a/monkey/infection_monkey/exploit/zerologon.py
+++ b/monkey/infection_monkey/exploit/zerologon.py
@ -578,10 +578,6 @@ class DumpSecrets:
        if self.__NTDS_hashes:
            self.__NTDS_hashes.finish()

-# mention in report explicitly - machine exploited/not (return True, if yes) & password restored/not
-# mention patching details in report
-# add exploit info to documentation
-

 # Adapted from https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
 # Used to get HKLM keys for restoring original DC password
--- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
+++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
@ -159,7 +159,7 @@ EXPLOITER_CLASSES = {
                    "breaks communication with other domain controllers.) "
                    "Exploits a privilege escalation vulnerability in a Windows server domain controller, "
                    "using the Netlogon Remote Protocol (MS-NRPC).",
-            # "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/zerologon/"
+            "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/zerologon/"
        }
    ]
 }