The Zerologon attack, also known as CVE-2020-1472, is a critical vulnerability that affects the Microsoft Windows Netlogon Remote Protocol. It was discovered and disclosed by Secura BV, a cybersecurity firm, in September 2020.

This vulnerability allows an attacker to gain unauthorized access to a domain controller and eventually take control of an entire Windows domain.

How the Zerologon attack works

The attack takes advantage of a flaw in the cryptographic authentication protocol used by the Netlogon Remote Protocol. By exploiting this vulnerability, an attacker can bypass the authentication process and impersonate the domain controller, allowing them to execute malicious actions.

Initialization

The attacker establishes a connection to the target domain controller using the Netlogon protocol.

Authentication Bypass

The attacker sends a series of Netlogon messages that exploit the vulnerability in the cryptographic authentication process. These messages manipulate the cryptographic keys used for authentication, essentially bypassing the security checks.

Impersonation

After a successful authentication bypass, the attacker gains control over the domain controller and can impersonate it.

Privilege Escalation

With control over the domain controller, the attacker can modify domain controller accounts, including the domain admin account, effectively gaining administrative privileges within the entire Windows domain.

Once the attacker achieves domain controller compromise, they can move laterally within the network, access sensitive data, distribute malware, and potentially cause significant damage to the affected systems.

It’s important to note that Microsoft released a security update to address the Zerologon vulnerability. System administrators are strongly advised to apply the necessary patches and security updates to protect their systems from this attack.

Failure to do so may leave the network vulnerable to exploitation.

Overall, the Zerologon attack highlights the critical importance of promptly applying security updates and maintaining strong security practices to protect against emerging vulnerabilities and threats.

Avatar of RFS

RFS (36)

Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.

Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.