New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


ZeroLogin Active Directory Exploit Allows for Complete Domain Takeover

The information security firm Secura recently released a writeup of a very serious flaw in Windows Server and Active Directory which allows attackers to completely take over a domain controller if they have access to any workstation in the domain. The vulnerability was patched in the August update from Microsoft, but the details had not been released until now. Proof-of-concept code has already been released publicly, which means that attackers will start leveraging this technique soon. This is particularly dangerous because threat actors often gain access to workstations using phishing, malware, or illicit access to Remote Desktop Protocol (RDP). The vulnerability is named ZeroLogin because it is implemented by sending a series of zeros appended to certain network traffic to the domain controller. Due to improper handling of the AES-CFB8 encryption cipher used with ComputeNetlogonCredential, the function used by computers to connect to the DC, there is a 1 in 256 chance that the initialization vector AND shared key will equal zero, allowing the attacker to bypass authentication. This attack is very quick and can take less than 3 seconds to change the password for a domain controller computer and completely take over control of a domain.

Analyst Notes

As Microsoft issued a patch for this vulnerability back in August, it is imperative that a patch is issued to all affected servers. This vulnerability is trivial to exploit, but can have incredibly dangerous results with regards to lateral movement. Binary Defense recommends patching this vulnerability as soon as possible.