In a Windows Active Directory environment, domain-joined computers need to regularly communicate with domain controllers to facilitate NTLM network authentication and a number of other tasks. This communication takes place via the Netlogon Remote Protocol. What is interesting about this protocol, is that it does not use Kerberos or NTLM for mutual authentication. Instead, a non-standard cryptographic protocol is used by both parties to prove knowledge of a computer password.
This protocol had a number of flaws: one is a downgrade vulnerability that allows a MitM attacker to achieve privileged remote code execution on the Netlogon client. A second, far more severe issue, allowed the impersonation of arbitrary computer accounts. By using a series of chosen-ciphertext attacks against an obscure block cipher mode of operation (that boil down to simply filling a number of fields to zeroes) an attacker could reset the computer password of the domain controller to an empty string, extract the account database with the DRS protocol, and gain domain admin access.
An attacker does not need any privileges to carry out an attack. All that's needed is some initial foothold on the network from which TCP connections to an unpatched DC can be established. Since its disclosure in September 2019, this "Zerologon" vulnerability has been exploited on a large scale and resulted in an emergency directive from the DHS to install patches.
In this talk, I will outline my research on Netlogon cryptography and show how I accidentally discovered a theoretical issue that turned out to be one of the most critical AD vulnerabilities of the year. I will explain the different exploit steps of the Zerologon attack, and clarify how exactly Microsoft's patch mitigates it.