Zero Login

So who else here has actually checked out the white paper for this? Found here: https://www.secura.com/pathtoimg.php?id=2055
supplementary documentation: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/da7acaa3-030b-481e-979b-f58f89389806

This one is cool because you can pretty much glean what to do based on the white paper and the documentation. Side note, now is the time to patch your DC's
What gets to me the most about this particular vulnerability is that while its existence is owed to a fundamental misuse of a cryptographic function, the attack also exploits a handful of other security flaws that shouldn't be a thing anymore:

Since computer accounts are not locked after invalid login attempts, we can simply try a bunch of times
Timestamp should contain the current Posix time, and is included in the call by the client along with the authenticator. It turns out, however, that the server does not actually place many restrictions on what this value can be (which makes sense, otherwise clock skew would become very troublesome), so we can simply pretend that it’s January 1st, 1970 and also set this value to 0.
It turns out that setting empty passwords for a computer is not forbidden at all
This script will successfully extract all user hashes from the domain through the Domain Replication Service (DRS) protocol. This includes domain administrator hashes (including the ‘krbtgt’ key, which can used to create golden tickets), that could then be used to login to the DC (using a standard pass-the-hash attack)


-Albatross
Zerologon is significantly worse, but don't take my word for it. Using CVSS 3.0, the linked Apple bug has a score of 8.1. Which, that is fairly severe. For comparison, under CVSS 3.1, Heartbleed was a 7.5, and Zerologon is a 10.0. Which, given how easy it is to exploit and what it lets you do, is hardly surprising: https://arstechnica.com/information-technology/2020/09/new-windows-exploit-lets-you-instantly-become-admin-have-you-patched/

-Albatross
Topic archived. No new replies allowed.