Merge pull request #911 from shreyamalviya/zerologon-exploiter

Zerologon Exploiter

Author: shreyamalviya

LICENSE

@@ -5,6 +5,9 @@
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
+ This product includes software developed by SecureAuth Corporation
+ (https://www.secureauth.com/).
+
                             Preamble
 
   The GNU General Public License is a free, copyleft license for

docs/content/reference/exploiters/Zerologon.md

@@ -0,0 +1,26 @@
+---
+title: "Zerologon"
+date: 2021-01-31T19:46:12+05:30
+draft: false
+tags: ["exploit", "windows"]
+---
+
+The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
+
+This exploiter is unsafe.
+* It will temporarily change the target domain controller's password.
+* It may break the target domain controller's communication with other systems in the network, affecting functionality.
+
+It is, therefore, **not** enabled by default.
+
+
+### Description
+
+An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
+
+To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
+
+
+### Notes
+
+* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).

monkey/infection_monkey/exploit/HostExploiter.py

@@ -36,6 +36,11 @@ def base_package_name():
     # Usual values are 'vulnerability' or 'brute_force'
     EXPLOIT_TYPE = ExploitType.VULNERABILITY
 
+    # Determines if successful exploitation should stop further exploit attempts on that machine.
+    # Generally, should be True for RCE type exploiters and False if we don't expect the exploiter to run the monkey agent.
+    # Example: Zerologon steals credentials
+    RUNS_AGENT_ON_SUCCESS = True
+
     @property
     @abstractmethod
     def _EXPLOITED_SERVICE(self):
@@ -104,4 +109,5 @@ def add_executed_cmd(self, cmd):
         :param cmd: String of executed command. e.g. 'echo Example'
         """
         powershell = True if "powershell" in cmd.lower() else False
-        self.exploit_info['executed_cmds'].append({'cmd': cmd, 'powershell': powershell})
+        self.exploit_info['executed_cmds'].append(
+            {'cmd': cmd, 'powershell': powershell})

monkey/infection_monkey/exploit/tests/test_zerologon.py

@@ -0,0 +1,94 @@
+import pytest
+
+from infection_monkey.exploit.zerologon import ZerologonExploiter
+from infection_monkey.model.host import VictimHost
+
+
+DOMAIN_NAME = "domain-name"
+IP = "0.0.0.0"
+NETBIOS_NAME = "NetBIOS Name"
+
+USERS = ["Administrator", "Bob"]
+RIDS = ["500", "1024"]
+LM_HASHES = ["abc123", "098zyx"]
+NT_HASHES = ["def456", "765vut"]
+
+
+@pytest.fixture
+def zerologon_exploiter_object(monkeypatch):
+    def mock_report_login_attempt(**kwargs):
+        return None
+
+    host = VictimHost(IP, DOMAIN_NAME)
+    obj = ZerologonExploiter(host)
+    monkeypatch.setattr(obj, "dc_name", NETBIOS_NAME, raising=False)
+    monkeypatch.setattr(obj, "report_login_attempt", mock_report_login_attempt)
+    return obj
+
+
+def test_assess_exploit_attempt_result_no_error(zerologon_exploiter_object):
+    dummy_exploit_attempt_result = {"ErrorCode": 0}
+    assert zerologon_exploiter_object.assess_exploit_attempt_result(
+        dummy_exploit_attempt_result
+    )
+
+
+def test_assess_exploit_attempt_result_with_error(zerologon_exploiter_object):
+    dummy_exploit_attempt_result = {"ErrorCode": 1}
+    assert not zerologon_exploiter_object.assess_exploit_attempt_result(
+        dummy_exploit_attempt_result
+    )
+
+
+def test_assess_restoration_attempt_result_restored(zerologon_exploiter_object):
+    dummy_restoration_attempt_result = object()
+    assert zerologon_exploiter_object.assess_restoration_attempt_result(
+        dummy_restoration_attempt_result
+    )
+
+
+def test_assess_restoration_attempt_result_not_restored(zerologon_exploiter_object):
+    dummy_restoration_attempt_result = False
+    assert not zerologon_exploiter_object.assess_restoration_attempt_result(
+        dummy_restoration_attempt_result
+    )
+
+
+def test__extract_user_creds_from_secrets_good_data(zerologon_exploiter_object):
+    mock_dumped_secrets = [
+        f"{USERS[i]}:{RIDS[i]}:{LM_HASHES[i]}:{NT_HASHES[i]}:::"
+        for i in range(len(USERS))
+    ]
+    expected_extracted_creds = {
+        USERS[0]: {
+            "RID": int(RIDS[0]),
+            "lm_hash": LM_HASHES[0],
+            "nt_hash": NT_HASHES[0],
+        },
+        USERS[1]: {
+            "RID": int(RIDS[1]),
+            "lm_hash": LM_HASHES[1],
+            "nt_hash": NT_HASHES[1],
+        },
+    }
+    assert (
+        zerologon_exploiter_object._extract_user_creds_from_secrets(mock_dumped_secrets)
+        is None
+    )
+    assert zerologon_exploiter_object._extracted_creds == expected_extracted_creds
+
+
+def test__extract_user_creds_from_secrets_bad_data(zerologon_exploiter_object):
+    mock_dumped_secrets = [
+        f"{USERS[i]}:{RIDS[i]}:::{LM_HASHES[i]}:{NT_HASHES[i]}:::"
+        for i in range(len(USERS))
+    ]
+    expected_extracted_creds = {
+        USERS[0]: {"RID": int(RIDS[0]), "lm_hash": "", "nt_hash": ""},
+        USERS[1]: {"RID": int(RIDS[1]), "lm_hash": "", "nt_hash": ""},
+    }
+    assert (
+        zerologon_exploiter_object._extract_user_creds_from_secrets(mock_dumped_secrets)
+        is None
+    )
+    assert zerologon_exploiter_object._extracted_creds == expected_extracted_creds

monkey/infection_monkey/exploit/tests/zerologon_utils/test_vuln_assessment.py

@@ -0,0 +1,45 @@
+import pytest
+from nmb.NetBIOS import NetBIOS
+
+from infection_monkey.exploit.zerologon_utils.vuln_assessment import \
+    get_dc_details
+from infection_monkey.model.host import VictimHost
+
+
+DOMAIN_NAME = "domain-name"
+IP = "0.0.0.0"
+
+
+@pytest.fixture
+def host():
+    return VictimHost(IP, DOMAIN_NAME)
+
+
+def _get_stub_queryIPForName(netbios_names):
+    def stub_queryIPForName(*args, **kwargs):
+        return netbios_names
+    return stub_queryIPForName
+
+
+def test_get_dc_details_multiple_netbios_names(host, monkeypatch):
+    NETBIOS_NAMES = ["Name1", "Name2", "Name3"]
+
+    stub_queryIPForName = _get_stub_queryIPForName(NETBIOS_NAMES)
+    monkeypatch.setattr(NetBIOS, "queryIPForName", stub_queryIPForName)
+
+    dc_ip, dc_name, dc_handle = get_dc_details(host)
+    assert dc_ip == IP
+    assert dc_name == NETBIOS_NAMES[0]
+    assert dc_handle == f"\\\\{NETBIOS_NAMES[0]}"
+
+
+def test_get_dc_details_no_netbios_names(host, monkeypatch):
+    NETBIOS_NAMES = []
+
+    stub_queryIPForName = _get_stub_queryIPForName(NETBIOS_NAMES)
+    monkeypatch.setattr(NetBIOS, "queryIPForName", stub_queryIPForName)
+
+    dc_ip, dc_name, dc_handle = get_dc_details(host)
+    assert dc_ip == IP
+    assert dc_name == ""
+    assert dc_handle == "\\\\"