ZeroLogon Exploit - Abusing CVE-2020-1472 (Way Too Easy!)
Вставка
- Опубліковано 4 жов 2020
- Quality cyber training at a quality price:
academy.tcm-sec.com
❓Info❓
___________________________________________
Need a Pentest?: tcm-sec.com
Learn to Hack: academy.tcm-sec.com
🔹The Cyber Mentor Merch🔹
___________________________________________
teespring.com/stores/the-cybe...
📱Social Media📱
___________________________________________
Website: thecybermentor.com
Twitter: / thecybermentor
Twitch: / thecybermentor
Discord: tcm-sec.com/discord
LinkedIn: / heathadams
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
/ thecybermentor
Support the stream (one-time): streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: amzn.to/31GN7iX
The Hacker Playbook 3: amzn.to/34XkIY2
Hacking: The Art of Exploitation: amzn.to/2VchDyL
The Web Application Hacker's Handbook: amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: amzn.to/31HAmVx
Linux Basics for Hackers: amzn.to/34WvcXP
Python Crash Course, 2nd Edition: amzn.to/30gINu0
Violent Python: amzn.to/2QoGoJn
Black Hat Python: amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: amzn.to/30d1UW1
EVGA 2080TI: amzn.to/30d2lj7
MSI Z390 MotherBoard: amzn.to/30eu5TL
Intel 9700K: amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: amzn.to/2M638Zb
Razer Nommo Chroma Speakers: amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: amzn.to/30hvg4P
Sennheiser RS 175 RF Wireless Headphones: amzn.to/31MOgpu
My Recording Equipment:
Panasonic G85 4K Camera: amzn.to/2Mk9vsf
Logitech C922x Pro Webcam: amzn.to/2LIRxAp
Aston Origin Microphone: amzn.to/2LFtNNE
Rode VideoMicro: amzn.to/309yLKH
Mackie PROFX8V2 Mixer: amzn.to/31HKOMB
Elgato Cam Link 4K: amzn.to/2QlicYx
Elgate Stream Deck: amzn.to/2OlchA5
*We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites. - Наука та технологія
I hope you enjoyed this video! If so, please consider dropping a like and subscribing.
I really aspire to be like you Cyber Mentor. I hope to have a family and a good head on my shoulders like you, God Bless you sir!
Thankyou for all this man 🔥 ur content is super helpful ♥️🙌
Thx a lot for the newest vulnerability review!!!
my favorite mentor on youtube.
I'm surprised that u still had this Hydra-DC virtual image that u setuped on penetration testing course. 😁
Great video 👍👍👍
you the best keep it up!
Dope man, this is so litt
I bought your hacker bundle from ur new tcm academy really looking forward to learn together 😁
First video I'm seeing, didn't see the whole video, but liked anyway :)
Thank bro That good!!! and easy to learning for beginner.
Thank you for the share
Going through your PEH right now. Christian at Intrinium told me I should buy in case you wanna give him a kick back 🤣🤣
Awesome now I want to figure out how to counter this
TCM
Great 🔥
I liked the video. But do you think you could do a video explaining WHY this happens
In simple english: www.trendmicro.com/en_us/what-is/zerologon.html
OG White Paper: www.secura.com/pathtoimg.php?id=2055
TLDR: The MS-NTLM protocol uses a non-standard flavor of AES called AES-CFB8. The vulnerability here is that the Initialisation Vector (IV) is a) only 16 bytes long and b) set to all zeroes. It should be random but it is anything but. That leaves a 1 in 256 chance that the key will produce a cipher text of all 0s, something that can be brute forced in a matter of seconds as you saw in the video.
@@skolarii tyty I appreciate
I like those poeple searching for knowledge! It reminds me of myself in the past(and still rn). Keep going then u will achieve alot
@@internationalekookdag2405 I think I'm like that too, but I feel really stupid .-.
Could you please explain what marvel was? And during secret dump you added -just-dc what that stands for?...BY THE BIG FAN AND LOVE FROM INDIA💯🤩❤️ HAPPY TO SEE YOUR VIDEOS . GURU 🙇
I'm very new to this field thats why I'm asking so much of doubts..don't mind bro 😁😅
Missed the 2018 kalilinux
amazing video! I know it's an old video but I am trying to create an assignment where students can try to use this exploit; its for a penetration testing class. Would you know any way I can get my hands on a Windows Server 2019 ISO that's unpatched?
For what impacket is used? And how to use hashes inview of getting access?
i have one question that how do we identify that this vuln is there in the pc ?
How do you run in virtual env in Kali ?
where i can get an AD unpathes?
The fact this vulnerability is very simple but also very dangerous to people with bad intentions... Note PATCH this on your stuff ASAP.
Hi sir...back with zerologon vulnerability....it was just short & wealthy more to get....suberub
How to find find vulnerability???
does it work remote with external ips ?
Is this exploit require target in same network ?
I feel like I should find a scanner to detect this if possible (too dumb to make one in enough time).
Would help a bit at work since I just spent how long making sure my systems were patched
I already automated this if you need the python script ping me.
@@samudrasarma6555 can you send me please ?
mr.root2203@gmail.com
There is a scanner script on GitHub, don't let random people on youtube send you one lol
@@dadquestionmark Yeah I managed to find the one from Secura and as far as I can tell it looks clean but will run it against a test dc at home first and see what it does.
@@911outrun Yep that's the one. Alternatively you could use wmi, for example, to check remote systems for the patch.
How can I find the domain name of the target?
It means that we can takeover any domain controller till now which haven't been patched for this exploit?
Eg: can we takeover the forest machine from HTB from this exploit?
Yes, just tested it. It works
do not perform on production. this WILL destroy your system.
You should do a version using the print spooler vuln it doesn’t break the computer password!
More details please?
Is this tool allowed in OSCP exam?
which hash do i use if i want to run reinstall_original_pw.py ?
Nice
is this safe to use on bug bounty targets? Or will set_empty_pw.py screw up their DC? Thanks
You won't find any public or private programs exposing their domain controller to public.
Is attacker should be sitting in the network, to exploit this attack?
Nope
Yes unless you are silly enough to have your netlogon hanging on a public network.
I did this exploitation. but it not correctly run, please help me
So what's the solution for this?
Apply the MS patch from the Microsoft website (support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#EnforcementMode ) and if this is a Samba DC applying server channel config detailed on Samba website (www.samba.org/samba/security/CVE-2020-1472.html )
If you want to detect if you are vilnerable to this exploit, you can download a tool made by cynet you will find it in the end of this article :
www.anissecurity.com/news/zerologon-vulnerability/
Can you explain how you ran the virtual environment? Thanks!
Here's some documentation on that: novicenolonger.com/safe-python-playing-with-virtualenv/
@@Em-ef4vh Thanks, will try it out!
This exploit only windows server 2012?
Heyy...
there is any mitigation for this exploit?
There's a patch from Microsoft.
I'm currently in the middle of three engagements. I ran this on two of them, I can no longer resolve hosts and authentication is acting weird. Is there a restore feature like script.py -r? Debating on trying it on the last engagement and just calling it a night.
Thanks in advanced.
hey I don't think you should have run it on a engagement. you should try and restore it immediately because it can leave it vulnerable if it was not patched
Per the github instructions:
"And that should show you the original NT hash of the machine account. You can then re-install that original machine account hash to the domain by
python3 reinstall_original_pw[dot]py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH
Reinstalling the original hash is necessary for the DC to continue to operate normally."
github[dot]com/risksense/zerologon
wow
@@gr4vedigg3r Whatever they should have patched their servers. One of the companies called me this morning raging that their network wasn't working, it's not my fault. Two directors and the CEO got on on a conference call and agreed with me that an attacker could have done the same thing.
meh, they can restore from backups. I'll try again later tonight.
@@SensitiveEvent yea bt I wouldn't recommend running scripts tht hurt the clients network if I would want to run tht script I'd call them up and tell them to make a backup and have someone ready to fix it up if it goes down ;)
Love from INDIA ❤️
I AM YOU STUDENT AT UDEMY PRACTICAL ETHICAL HACKING ❤️
Sir how to insert a name in any website at particular place by hacking ? Which tools, method etc. is used for that?
Hack everything with Inspect Element
Sir how to download old gnome environment on Kali Linux 2020
First
Your UA-cam fans are waiting for new content
Is this not new content?
@@TCMSecurityAcademy👌😂
tryhackme also created a room for this specific cve
Superb education and awareness tips. Please throw more light on how you installed impacket, because the secretsdump.py command is not found on my kali 2020.3
I was only able to install impacket 0.9.21, please help out on how you installed 0.9.22
did you manage to get impacket 0.9.22? if so how
it doesn't work
😵😵
Cuz the domain controller was patched.
first!