Several vulnerabilities have been observed related to netlogon including a common and trending Vulnerability CVE-2020-1472. When we explored this vulnerability, we came to conclusion that the attacker exploits this vulnerability through usage of MS-NRPC (Netlogon Remote Protocol). We further discovered that the exploitation technique includes Brute-force and DCsync for gaining access and escalating privileges.
1. The PCAP observed contains multiple failed login attempts on the critical server. The request were generated using NetServerReqChallenge.
2. Excessive brute force attempts were seen in the respective pcap. The Empty Password Set was used consisting of mostly zeros.
3. The function that was carrying the request were NetrServerAuthenticate3 and NetrServerReqChallenge
As per Microsoft, the NetrServerAuthenticate3 method is used to mutually authenticate the client and the server, establishes the session key for secure channel message protection between the client and the server. The NetrServerReqChallenge method SHOULD <166> receive a client challenge and return a server challenge (SC).
4. Excessive authentication calls clearly indicating a brute force followed by a success was observed.
Following is the POC to test the vulnerability on a target server. Following Procedure was observed during POC:
1. Spoofing Host credential
2. Spoofing authenticaion call
3. Changing Host AD’s Password
To enable Netlogon, run the following command
> nltest /dbflag:FFFFFFF
Logs can be reviewed from %SystemRoot%\Debug folder.
Refer to Microsoft advisory for the list of affected products and their respective patches.