漏洞平台

POC详情： b6471ff2401fa2208bc48de72478c835eed35f96

来源

https://github.com/tdevworks/CVE-2020-1472-ZeroLogon-Demo-Detection-Mitigation

关联漏洞

标题： Microsoft Windows Netlogon 安全特征问题漏洞 (CVE-2020-1472)
描述：Microsoft Windows Netlogon是美国微软（Microsoft）公司的Windows的一个重要组件，主要功能是用户和机器在域内网络上的认证，以及复制数据库以进行域控备份，同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。

介绍

# CVE-2020-1472 (ZeroLogon) Detection and Mitigation Demo

This project demonstrates the detection and mitigation of the critical Windows vulnerability CVE-2020-1472, also known as **ZeroLogon**. The vulnerability allows attackers to gain unauthenticated administrative access. This was developed as part of a school cybersecurity project. The PoC code credit goes to Tom Tervoort (Secura) and the Suricata ruleset credits goes to Proofpoint Emerging Threats.

Key components:
- Testing a domain controller’s vulnerability using a PoC script
- Monitoring for indicators via **Windows Event Logs**
- Implementing **Suricata IDS** with custom rules
- Applying **Windows Updates**
---

## Demonstrated Detection Techniques

### 1. Vulnerability Testing Script
- Python script by **Tom Tervoort** (Secura)
- Leverages the `impacket` library to test a domain controller’s vulnerability via Netlogon authentication bypass

### 2. Windows Event Log Analysis
Look for these key events:
- `4624`: Successful logon using DC credentials
- `4672`: Special privileges assigned to attacker (e.g., admin)
- `5805`: Netlogon error events (indicator of exploitation)

### 3. Intrusion Detection Using Suricata
- Uses Suricata to analyse network traffic on the domain controller
- Implements custom rules from the **Proofpoint Emerging Threats** ruleset
- Detects sequences of zero bytes commonly used in the ZeroLogon exploit

---

## Requirements

To replicate this demonstration, the following setup is required:

### Attacker Machine
- Virtual - VirtualBox (using **NATNetwork** for VM networking)
- Kali Linux (any recent version)
- Testing script from GitHub repository (saved to Desktop):
  [ZeroLogon testing script by TomTervoortSecura](https://github.com/SecuraBV/CVE-2020-1472?tab=readme-ov-file)

### Target Machine
- VirtualBox (same **NATNetwork** configuration with Promiscuous mode enabled)
- Windows Server 2019 Essentials (updated Sept 2019)
  - A new domain and DC created (using Target Machine server as DC)
- Suricata
- Microsoft C++ Redistributable
- Npcap
- Notepad++
- Rules file from Proofpoint Emerging Threats Rules repository
  [`emerging-all.rules` by Proofpoint](https://rules.emergingthreats.net/open/)

> *Configuration Note*:
> The Suricata configuration was modified using **Notepad++**:
> - `HOME_NET` was set to the IP address of the Target machine
> - The `rule-files` section was updated to use the `emerging-all.rules` file

## Demonstration of Detection Approaches

### Step 1: Find out Target Machine Computer Name and IP address
1. Open Server Manager.
2. Navigate to Local Server. Take note of the Computer Name and IP address found under Ethernet. In this demonstration, the computer name is FTB4-Victim-Win, and the IP address is 10.0.2.4

![Screenshot 2025-05-17 154115](https://github.com/user-attachments/assets/c3308522-8a8b-4d7d-aa72-c14fd8791c17)

---

### Step 2: Launch Vulnerability Testing Script
1. In the Attacker Machine, open Terminal
2. Execute the Python testing script with the target machine computer name and IP:
  ```bash
  python /home/kali/Desktop/CVE-2020-1472-master/zerologon_tester.py <target computer name> <target IP>
  ```
3. The script will conclude with the message indicating that the domain controller can be fully compromised by a ZeroLogon attack.

![Screenshot 2025-05-17 154323](https://github.com/user-attachments/assets/1e15e5cd-ddfc-4944-afc2-af2d1d701fd2)

---

### Step 3: Analysing Windows Event Log 
1. Now in the Target machine, launch Event Viewer. The icon is on the taskbar.
2. Navigate to Windows Logs, then Security.
3. As shown below, there are two Security events relating to the ZeroLogon bypass: Event 4672 and Event 4624.

![Screenshot 2025-05-17 154640](https://github.com/user-attachments/assets/3b380048-0846-4a2b-9846-47001ab6f39c)

![Screenshot 2025-05-17 154651](https://github.com/user-attachments/assets/7a430c63-c908-4f16-953c-e4f72191f4db)

4. Go to System, also under Windows Logs. Scroll down until you see the event with Level as **Error** and Source as **NETLOGON**. Select it. This is another event relating to the ZeroLogon bypass.

![Screenshot 2025-05-17 154942](https://github.com/user-attachments/assets/07125123-2a5c-4393-bac0-4249cd3c152e)

5. You may close Windows Event Viewer.

---

### Step 4: Intrusion Detection Using Suricata

1. In the Target machine, open Command Prompt as Administrator.
2. Execute the following command to launch Suricata:
  ```bash
  cd C:\Program Files\Suricata\
  ```
3. Execute the following command with the approrpriate IP address
  ```bash
  suricata -c suricata.yaml -i <target IP> -l log
  ```

![Screenshot 2025-05-17 155501](https://github.com/user-attachments/assets/f041c4e0-a6cb-462c-a8b7-a54cffc78fe7)

4. Open File Explorer from the icon in the taskbar. Navigate to `C:\Program Files\Suricata\log`
5. Type `powershell` on the navigation bar and press Enter. Windows PowerShell will launch.

![Screenshot 2025-05-17 155647](https://github.com/user-attachments/assets/bb7bcef8-39a1-4d53-bce5-aec3d8edef91)

6. In Windows PowerShell, type `get-content .\fast.log -wait` and press Enter. Ignore all the previous logs as they were from previous testing and scroll down to the empty space.

![Screenshot 2025-05-17 155901](https://github.com/user-attachments/assets/d9421594-c425-47f0-8bc8-c3bb9e1ad835)

7. In the Attacker machine and launch the Python testing script again.
8. Now go back to the Target machine and take note of the new alerts generated. These alerts indicate an attempt or exploitation of ZeroLogon.

![Screenshot 2025-05-17 160035](https://github.com/user-attachments/assets/7746125d-5749-4ab9-b19b-17d433ac9029)

9. You may close the Windows PowerShell and Command Prompt windows.
10. Open `fast.txt`. The logs are saved in this file.

![Screenshot 2025-05-17 160136](https://github.com/user-attachments/assets/e8e22414-af88-44cb-9a09-9068f21ec13d)

## Demonstration of Mitigation Approach
The most effective mitigation for CVE-2020-1472 (ZeroLogon) is to **install the latest Windows security updates**.

### Steps:
1. On the **Target Machine**, open the **Settings** app.
2. Navigate to Update and Security → Windows Update
3. Click **"Check for updates"** and allow the system to download and install the latest updates.
4. Reboot the machine if required.
   
![Screenshot 2025-05-17 160314](https://github.com/user-attachments/assets/ff649ab8-f66d-4813-90c4-26400276ad26)

> These updates apply Microsoft's fix for the ZeroLogon vulnerability by enforcing secure remote protocol usage and enable enforcement mode by default in domain controllers.

---

## Note on Limitations

The detection and mitigation approaches demonstrated in this project are designed for educational purposes within a controlled lab environment. While effective in illustrating the concepts behind CVE-2020-1472 (ZeroLogon), they have limitations and are not fully practical for deployment in real-world enterprise environments. As this is a school project, the focus is on learning and understanding cybersecurity techniques rather than implementing production-grade solutions.

## Acknowledgements

Special thanks to

- **Tom Tervoort** (Secura) for the original ZeroLogon testing script  
  [https://github.com/SecuraBV/CVE-2020-1472](https://github.com/SecuraBV/CVE-2020-1472)
- **Bandar Alanazi** for the ZeroLogon detection approaches via Windows Event logs
  [https://0xbandar.medium.com/detecting-the-cve-2020-1472-zerologon-attacks-6f6ec0730a9e](https://0xbandar.medium.com/detecting-the-cve-2020-1472-zerologon-attacks-6f6ec0730a9e)
- **Proofpoint Emerging Threats** for their Suricata rules used to detect ZeroLogon exploit attempts  
  [https://rules.emergingthreats.net/open/](https://rules.emergingthreats.net/open/)
- **Microsoft** for documentation on update KB4601345 and guidance on CVE-2020-1472 patching  
  [https://support.microsoft.com/en-us/topic/february-9-2021-kb4601345-os-build-17763-1757-expired-c38b7b85-0d84-d979-1a29-e4ba97b82042](https://support.microsoft.com/en-us/topic/february-9-2021-kb4601345-os-build-17763-1757-expired-c38b7b85-0d84-d979-1a29-e4ba97b82042)

## References

- [CVE-2020-0796 Remote Code Execution POC](https://github.com/ZecOps/CVE-2020-0796-RCE-POC)
- [Detecting the CVE-2020–1472 (Zerologon) attacks" by Bandar Alanazi](https://0xbandar.medium.com/detecting-the-cve-2020-1472-zerologon-attacks-6f6ec0730a9e)
- [Proofpoint Emerging Threats Rules](https://rules.emergingthreats.net/open/)
- [February 9, 2021—KB4601345 (OS Build 17763.1757) - EXPIRED](https://support.microsoft.com/en-us/topic/february-9-2021-kb4601345-os-build-17763-1757-expired-c38b7b85-0d84-d979-1a29-e4ba97b82042)

## Author
[@tdevworks](https://github.com/tdevworks)

## Disclaimer

This repository is created for educational purposes only.

All tools, scripts, and techniques demonstrated are intended to help understand cybersecurity vulnerabilities in a controlled lab environment. Do not attempt to use any of the provided materials on systems or networks that you do not own or have explicit permission to test.

The author is not responsible for any misuse of the information provided.

文件快照


 [4.0K]  /data/pocs/b6471ff2401fa2208bc48de72478c835eed35f96
└── [9.0K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。