Embedded Files
ZEROLOGON
(tracked as CVE-2020-1472)
ZEROLOGON
(tracked as CVE-2020-1472)
It is a critical cybersecurity vulnerability that allows an attacker to completely take over a Microsoft Windows Active Directory Domain Controller.
It is a critical cybersecurity vulnerability that allows an attacker to completely take over a Microsoft Windows Active Directory Domain Controller.
It received a maximum possible severity score of 10.0 out of 10.0 on the CVSS scale because it requires no user credentials, can be executed in seconds, and gives an attacker instant administrative control over an entire corporate network.
It received a maximum possible severity score of 10.0 out of 10.0 on the CVSS scale because it requires no user credentials, can be executed in seconds, and gives an attacker instant administrative control over an entire corporate network.
How the Flaw Works (The Flawed Crypto)The name "Zerologon" comes from the mechanical nature of the exploit: the attacker essentially forces an encryption process to result in all zeros.When a computer connects to a Domain Controller (the server managing network access), it uses a protocol called Netlogon.
How the Flaw Works (The Flawed Crypto)The name "Zerologon" comes from the mechanical nature of the exploit: the attacker essentially forces an encryption process to result in all zeros.When a computer connects to a Domain Controller (the server managing network access), it uses a protocol called Netlogon.
To securely authenticate, both sides use an encryption standard called AES-CFB8.
To securely authenticate, both sides use an encryption standard called AES-CFB8.
An implementation flaw in this protocol allowed an attacker to manipulate the login process:
An implementation flaw in this protocol allowed an attacker to manipulate the login process:
The Initialization Vector (IV) Mistake: In cryptography, an "Initialization Vector" is supposed to be a completely random string of numbers used to mix up the encryption so it can't be guessed.
The Initialization Vector (IV) Mistake: In cryptography, an "Initialization Vector" is supposed to be a completely random string of numbers used to mix up the encryption so it can't be guessed.
Microsoft's implementation of Netlogon mistakenly hardcoded this IV to always be all zeros.
Microsoft's implementation of Netlogon mistakenly hardcoded this IV to always be all zeros.
Guessing the Key: Because the IV is always zero, a specific mathematical quirk in AES-CFB8 means that 1 out of every 256 attempts to encrypt a string of zeros will yield a result that is also all zeros.
Guessing the Key: Because the IV is always zero, a specific mathematical quirk in AES-CFB8 means that 1 out of every 256 attempts to encrypt a string of zeros will yield a result that is also all zeros.
Bypassing Authentication: An attacker can simply spoof the identity of a legitimate computer on the network, send a credential string consisting entirely of zeros (0000...), and repeat the attempt.
Bypassing Authentication: An attacker can simply spoof the identity of a legitimate computer on the network, send a credential string consisting entirely of zeros (0000...), and repeat the attempt.
On average, within 256 tries (which takes less than three seconds over a network connection), the server accepts it as valid.
On average, within 256 tries (which takes less than three seconds over a network connection), the server accepts it as valid.
The Ultimate Takeover:
The Ultimate Takeover:
Once past authentication, the attacker uses the connection to call a specific command (NetrServerPasswordSet2) to reset the Domain Controller's own computer account password to—you guessed it—blank or all zeros.
Once past authentication, the attacker uses the connection to call a specific command (NetrServerPasswordSet2) to reset the Domain Controller's own computer account password to—you guessed it—blank or all zeros.
From that point on, the attacker has complete domain administrator rights and can deploy ransomware, steal data, or manipulate any user account on the network.
From that point on, the attacker has complete domain administrator rights and can deploy ransomware, steal data, or manipulate any user account on the network.
The Prerequisites for the Attack
The Prerequisites for the Attack
While devastating, Zerologon has one major limitation:
While devastating, Zerologon has one major limitation:
Local Network Access Required: The attacker must already be inside the network boundary.
Local Network Access Required: The attacker must already be inside the network boundary.
They either need a physical Ethernet connection inside the building, access to the corporate Wi-Fi, or initial access to a minor, non-admin machine via a phishing email or malware to use as a launching pad.
They either need a physical Ethernet connection inside the building, access to the corporate Wi-Fi, or initial access to a minor, non-admin machine via a phishing email or malware to use as a launching pad.
It cannot usually be executed directly from the open internet unless a Domain Controller is recklessly exposed.
It cannot usually be executed directly from the open internet unless a Domain Controller is recklessly exposed.
Prevention and MitigationMicrosoft completely patched this vulnerability across 2020 and 2021 by enforcing secure, remote procedure calls (RPC) and rejecting unencrypted Netlogon connections.
Prevention and MitigationMicrosoft completely patched this vulnerability across 2020 and 2021 by enforcing secure, remote procedure calls (RPC) and rejecting unencrypted Netlogon connections.
Today, protecting against Zerologon simply requires ensuring that all Windows Servers are up to date and running supported versions.
What is ZeroLogon? -
https://www.trendmicro.com/en_us/what-is/zerologon.html
Today, protecting against Zerologon simply requires ensuring that all Windows Servers are up to date and running supported versions.
What is ZeroLogon? -
https://www.trendmicro.com/en_us/what-is/zerologon.html
SecuraBV ZeroLogon Checker -
https://github.com/SecuraBV/CVE-2020-1472
ACHTUNG BABY!
SUPER DANGEROUS!!!!
IF YOU DON'T SAVE THE PASSWORD BEFORE, IT CANNOT BE RECOVERED AND YOU CAN BREAK THE NETWORK!!!
The Bug Hunter's Methodology
Nahamsec Recon Playlist
SecuraBV ZeroLogon Checker -
https://github.com/SecuraBV/CVE-2020-1472
ACHTUNG BABY!
SUPER DANGEROUS!!!!
IF YOU DON'T SAVE THE PASSWORD BEFORE, IT CANNOT BE RECOVERED AND YOU CAN BREAK THE NETWORK!!!
The Bug Hunter's Methodology
Nahamsec Recon Playlist
AFTER 2 CLICKS, EXPLOIT CHANGE THE DOMAIN PASSWORD TO BLANK SPACE
In an authorized pentest, you will need to revert to the original PSW:
AFTER 2 CLICKS, EXPLOIT CHANGE THE DOMAIN PASSWORD TO BLANK SPACE
In an authorized pentest, you will need to revert to the original PSW:
PIVOTING
cat /etc/proxychains4.conf
PIVOTING
cat /etc/proxychains4.conf
ssh -f -N -D 9050 -i pivot root@10.10.155.5
ssh -f -N -D 9050 -i pivot root@10.10.155.5
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
https://github.com/jpillora/chisel
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
https://github.com/jpillora/chisel
FIND AND EXPLOIT COMMON WEB VULNERABILITIES
github: PAYLOAD ALL THE THINGS
Here is the high-level, simple breakdown of how these three vulnerabilities work:
SQL Injection (SQLi):
Occurs when an attacker types database commands into a standard input field (like a login box). The application mistakes this text for legitimate instructions, allowing the attacker to steal, alter, or delete private data directly from the database.
Cross-Site Scripting (XSS)
happens when an attacker injects malicious browser code (JavaScript) into a webpage. The website accidentally saves this code and displays it to other visitors, causing the malicious script to run in innocent users' browsers to steal passwords or session cookies.
Command Injection takes place when an attacker inputs operating system commands into an application. The app accidentally passes those instructions straight to the underlying server, giving the attacker direct control over the host machine just like a rogue administrator.
INSECURE FILE UPLOADING
Phase 1: Interception & Modification
In Burp Suite: You capture the file upload HTTP request using the Proxy, send it to Repeater, and manipulate the payload—such as changing the file extension (e.g., .jpg to .php) or tampering with the Content-Type header.
The Goal: To bypass weak client-side restrictions or superficial server-side validation filters.
Phase 2: Execution & Verification
In Burp Suite: You forward the edited request, analyze the server's response to locate the uploaded file's URL or path, and then access that path via the browser.
The Goal: To trigger the execution of the uploaded malicious script on the server, typically resulting in Remote Code Execution (RCE).
Sanitanization Defenses - es no php, can be avoided with the following extension renaming
copy info intercepted in a file called req.txt
copy info intercepted in a file called req.txt
fuff -request req.txt -request-proto http -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -fs 1814
fuff -request req.txt -request-proto http -w /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt -fs 1814
xxE INJECTION (EXTERNAL ENTITIES INJECTION)
An XXE Injection occurs when a poorly configured XML parser processes user-supplied XML containing a malicious reference to an external resource.
xxE INJECTION (EXTERNAL ENTITIES INJECTION)
An XXE Injection occurs when a poorly configured XML parser processes user-supplied XML containing a malicious reference to an external resource.
By abusing this "external entity" feature, an attacker can trick the server into reading sensitive local files, launching internal network attacks (SSRF), or crashing the system (Denial of Service).
By abusing this "external entity" feature, an attacker can trick the server into reading sensitive local files, launching internal network attacks (SSRF), or crashing the system (Denial of Service).
The ultimate fix: Disable DTD and external entity resolution in your XML parser configurations, or use JSON instead.
The ultimate fix: Disable DTD and external entity resolution in your XML parser configurations, or use JSON instead.
CAPSTONE PROJECT
CAPSTONE PROJECT
- ENUMERATION:
fuff -u http://localhost/capstone/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php -recursion
1. Stored XSS (Persistent) — Yes, for all visitors
1. Stored XSS (Persistent) — Yes, for all visitors
If the PHP script takes user input, stores it in a database or a file without sanitizing it, and then displays that data back to other users, this affects everyone who visits that page.
If the PHP script takes user input, stores it in a database or a file without sanitizing it, and then displays that data back to other users, this affects everyone who visits that page.
How it works: An attacker inputs a malicious script into a comment section or profile bio. The PHP server saves it to the database.
How it works: An attacker inputs a malicious script into a comment section or profile bio. The PHP server saves it to the database.
The result: Every single visitor who loads that comment section will execute the malicious script in their browser.
to reinitialize the website php init
LET'S TRY SQL INJECTIONS - FINDING THE RIGHT HASCAT'S FORMAT
The result: Every single visitor who loads that comment section will execute the malicious script in their browser.
to reinitialize the website php init
LET'S TRY SQL INJECTIONS - FINDING THE RIGHT HASCAT'S FORMAT
Page updated
Google Sites
Report abuse