Mimikatz' developer Benjamin Delpy, has updated the latest version of the well-known tool to exploit the ZeroLogon vulnerability.




Mimikatz

Mimikatz [2] is an open source tool designed to target devices running Windows OS and can run pass-the-hash, pass-the-ticket, kerberoasting, and more. 


ZeroLogon (CVE-2020-1472)

Discovered by Secura's security expert Tom Tervoort, the vulnerability allows a remote attacker to forging an authentication token for specific Netlogon functionality, an call a function to set the computer password of the Domain Controller to a known value.
After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin.

The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

Delpy shared a demo of the ZeroLogon addition to mimikatz, demonstrating the direct RPC call:

https://twitter.com/gentilkiwi/status/1306178689630076929


References

  1. Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)
  2. https://github.com/gentilkiwi/mimikatz/releases