Hacking Tutorial, Windows Updates/Patches

Abusing CVE-2020-1472 (ZeroLogon)

Secura has a great blog post on this topic already, but I wanted to share my experience with actually playing with their proof-of-concept exploit code. You can read about this exploit on their blog at https://www.secura.com/blog/zero-logon.

The exploit abuses the Netlogon Remote Protocol in Windows, which among other things, can be used to update computer passwords.

This vulnerability, and patch, isn’t exactly new. Microsoft released a patch for it last month, but there are now some public POCs in the wild that anybody can get their hands on, making this much more dangerous to leave un-patched.

Installing Tools

First, we’re going to need a few things from GitHub. I like to download the tools in my /opt directory. You can run the following command to download the prerequisites.

sudo git clone https://github.com/dirkjanm/CVE-2020-1472.git

And then we need to download and install Impacket.

sudo git clone https://github.com/SecureAuthCorp/impacket.git

cd /opt/impacket

sudo pip3 install .

Performing the Exploit

The above mentioned POC exploit will reset the password of the domain controller account, so BE CAREFUL RUNNING IN PRODUCTION as it will break communication to other domain controllers in the domain.

To reset the password of the domain controller account and make it null, we can use the following command.

python3 cve-2020-1472-exploit.py <netBIOS-Hostname> <targetIP>

If you see that the exploit was successful, you should then be able to run a command like the following to dump all of the domain account hashes.

sudo secretsdump.py -just-dc <domain>/<hostname>\$@<targetIP>

Restoring the Environment

The proof-of-concept exploit code also includes a script for restoring the old credential post-exploitation. To do this, you can grab the hex encoded machine password from the secretsdump.py output and then use the following command.

sudo python restorepassword.py <domain>/<hostname>@<hostname> -target-ip <target-IP> -hexpass <hex-credential>

Patching the Exploit

A patch is available from Microsoft at the following URL. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

While the above mentioned article includes a table with a list of patches, I’d highly recommend checking the Windows Update Catalog for patches that might have superseded the articles mentioned in this table. For example, the September roll-ups contain this patch and are not listed in the table.

Running this exploit against a machine that has received the patch will return the following result.

Donations and Support:
Like my content? Please consider supporting me on Patreon:

Purchase a VPN Using my Affiliate Link

General Blog, General IT, Windows Updates/Patches

Patching CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability

As I’m sure you’ve heard, there were a handful of critical vulnerabilities announced in this week’s Patch Tuesday. Included in the list of vulnerabilities is a flaw within CryptoAPI that would allow an attacker to digitally sign malicious software updates as the legitimate creator of the software. While Microsoft lists this vulnerability with a severity level of Critical, an attacker would need to first insert themselves as a Man in The Middle to be able to intercept a device’s software update request and return back a digitally signed malicious executable.

Table of Contents
– Affected Operating Systems
– KB’s Needed to Patch Vulnerability

If you have the time, I’d highly recommend the below Webcast on this topic from the SANS Institute’s YouTube page. It goes above any beyond any level of detail I would be able to.

Affected Operating Systems

  • Windows 10
  • Windows Server 2016
  • Windows Server 2019

Note: Windows 7 and older are NOT vulnerable. The Windows Update Service itself is NOT vulnerable.

Patching CVE-2020-0601

Microsoft’s official documentation on this topic can be found at the below link. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

The exact patch that you need depends on the exact OS Build of Windows 10 you’re running. Below is a list of the related KBs and which Operating System they patch. This list is current as of this blog’s posted date.

I recommend searching for your Build of Windows 10 by using Ctrl+F and typing the version (I.E 1909, 1903, etc.)

Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4528760
Operating System(s)Windows Server, version 1903 (Server Core installation)
 Windows Server, version 1909 (Server Core installation)
 Windows 10 Version 1903 for 32-bit Systems
 Windows 10 Version 1903 for ARM64-based Systems
 Windows 10 Version 1903 for x64-based Systems
 Windows 10 Version 1909 for 32-bit Systems
 Windows 10 Version 1909 for ARM64-based Systems
 Windows 10 Version 1909 for x64-based Systems

Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534273
Operating System(s)Windows Server 2019
 Windows Server 2019 (Server Core installation)
 Windows 10 Version 1809 for 32-bit Systems
 Windows 10 Version 1809 for ARM64-based Systems
 Windows 10 Version 1809 for x64-based Systems

Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534293
Operating System(s)Windows Server 2016, version 1803 (Server Core Installation)
 Windows 10 Version 1803 for 32-bit Systems
 Windows 10 Version 1803 for ARM64-based Systems
 Windows 10 Version 1803 for x64-based Systems

Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534276
Operating System(s)Windows 10 Version 1709 for 32-bit Systems
 Windows 10 Version 1709 for ARM64-based Systems
 Windows 10 Version 1709 for x64-based Systems

Download Linkhttps://www.catalog.update.microsoft.com/Search.aspx?q=KB4534271
Affected O/SWindows Server 2016
 Windows Server 2016 (Server Core installation)
 Windows 10 Version 1607 for 32-bit Systems
 Windows 10 Version 1607 for x64-based Systems

General Blog, General IT, Windows Updates/Patches

How To Activate Windows 7 Extended Security Updates (ESU)

This post intends to serve as a guide on activating a purchase ESU license key on a Windows 7 box. I’m making the assumption that you have already gone through the procedure to purchase the Windows 7 ESU key and have access to it.

If you haven’t, you should be able to purchase one through a distributor (such as Ingram Micro) and link it to your Office 365 tenant as a subscription-item. If you are a partner and need details on procuring Windows 7 ESUs through the Partner Center, see Purchasing Windows 7 ESUs as a Cloud Solution Provider

Table of Contents
– Installation Prerequisites
– Manual Installation and Activation
– Automating via Batch Script
– Additional References

Installation Prerequisites

There are some updates that you’re going to need to ensure are installed on your system(s) first. The official Microsoft documentation links to older KB’s, but those have been replaced by newer ones. As of this post’s creation dates, here are the latest KB’s that you will need.

2019-03 Servicing Stack Update for Windows 7 for x86/x64-based Systems (KB4490628)

2019-08 Security Update for Windows 7 for x86/x64-based Systems (KB4474419)

2019-12 Servicing Stack Update for Windows 7 for x86-based Systems (KB4531786)

Once three above three are confirmed on your system, you should be able to install this final prerequisite.

2019-12 Security Monthly Quality Rollup for Windows 7 for x86-based Systems (KB4530734)

Installation and Activation

One the prerequisites are installed, you can follow these steps to activate Extended Security Updates (ESU) for machines that are connected to the internet.

1) First, locate and Copy the ESU Key to your clipboard.

2a) Open an Elevated Command Prompt window and run the following command.
slmgr /ipk <ESU KEY>

After a few moments, you should get a message confirming that the product key was installed.

2b) If you are unable to interact with the desktop GUI, you can leverage the cscript command to write the output to the console.
cscript "c:\windows\system32\slmgr.vbs" /ipk <ESU KEY>

3a) Now that the key is on the system, we need to locate its Activation ID so we can activate the key in a future step. Run the following command:
slmgr /dlv

3b) While the command above will present the Activation ID to us, it’s not easy to copy. Let’s run the command again, but leverage cscript so we can copy the Activation ID value from the console.
cscript "c:\windows\system32\slmgr.vbs" /dlv

4) With the Activation ID copied, let’s move forward with the activation.
slmgr /ato <ESU ACTIVATION ID>

5) Once you have activated the ESU product key, you can verify the status at any time by running the following command and referencing the License Status value.
slmgr /dlv

Automating the Process via Batch Script

The ESU license is activated — Great! Now how do we automate this process for the rest of our machines? Lets create a quick batch script that we can then push out via a RMM solution and/or GPO logon scripts.

Note: I am not a scripting expert, but I was able to piece the following together. Please reach out or leave comments below if you see necessary improvements. Make sure you pass a value for the %Key% variable, or replace the variable in your script with your actual key.

@echo off
cscript "c:\windows\system32\slmgr.vbs" /ipk %Key%
for /f "tokens=*" %%a in ('cscript C:\WINDOWS\system32\slmgr.vbs /dlv ^| findstr /b ^"Activation ID: ^"') do set actID=%%a
set actID=%actID:Activation ID: =%
cscript "c:\windows\system32\slmgr.vbs" /ato %actID%
cscript "c:\windows\system32\slmgr.vbs" /dlv

Troubleshooting Tip:
While the above script worked for me, the value that gets returned for %actID% may be incorrect for you if you have multiple products installed on your system, such as a previous ESU or OEM license. If you notice that your License Status still shows Unlicensed after running the script, the %actID% is likely populated with another product installed on your system.

EDIT: A user on Reddit sent in a tip that the ActivationIDs should remain the same across all machines for this year’s ESU. I haven’t verified if that’s the case or not, but that should resolve issues related to pulling down the incorrect %actID%. Updated batch script could be as follows in that case:

@echo off
cscript "c:\windows\system32\slmgr.vbs" /ipk %Key%
cscript "c:\windows\system32\slmgr.vbs" /ato %actID%
cscript "c:\windows\system32\slmgr.vbs" /dlv

Additional References

Check out Microsoft’s official documentation on this topic, including information on how to activate the ESU on machines without internet connectivity.


Stay Involved

Get new content delivered directly to your inbox.