Just finished watching the Youtube video on Mark's presentation. He has introduced 2 of the tools that he created for threat hunting.
Links:
The cve-2020-1472 vulnerability has been disclosed since Aug. This is an elevation of privilege vulnerability that exists when a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.
This vulnerability is more to be known as Zerologon, and received a CVSS score of 10.0. Here're the summary of the vulnerability:
Al least last point seems like a good news where a vulnerable client or DC exposed to the internet is not exploitable by itself. (whew)
There are 2 things I would like to emphasis in this post.
First, the patch released in August isn't a full fix solution. The patch only helps to protect the vulnerable servers (domain controllers) from exploit/malware attack. This is like deploying an antivirus solution that block the WannaCry malware without patching the root problem.
The root of the problem is at the RPC with Netlogon protocol (MS-NRPC). And Microsoft will release second patch slated for Q1 in 2021 to address the bug.
The NetLogon component is an important functional component to perform authentication on the intra-domain network. It is important to be used for replicating the database backup, and maintaining domain members and domains relationship with domain DC (or cross-domain DC). The worst case for this attack is, the DC can be takenover by unauthenticated attacker.
Second, this vulnerability is targeting mainly on domain controllers (DC), including Samba server. However, the default installation running Samba (as a file server) are not directly impacted.
To Samba, this vulnerability is more of a mis-configuration than bug. Samba has been insisting on a secure netlogon channel since version 4.8 (Mar 2018). This is sufficient fix against the zerologon attack. [Unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto', those Samba server is not vulnerable]
Samba versions 4.7 and below are impacted by the vulnerability unless they have ‘server schannel = yes’ in the smb.conf. “The ‘server schannel = yes’ smb.conf line is equivalent to ‘FullSecureChannelProtection=1’ registry key in Microsoft OS, the introduction of which we understand forms the core of Microsoft’s fix. ”
Link:
The development of encrypted DNS, specifically DNS-over-HTTPS (DoH), has attracted a relatively large amount of interest to a previously quiet corner of the Internet protocol world.
Here're a list of DoH client of choices:
Links:
Earlier, I created a python script that allow me to check the number of vulnerable host based on CVE.
Today I just released second version of the script that show both the vulnerable host and vulnerabilities from Kenna, based on CVE.
If you specify the verbose output option, it will show both active and
inactive count for Closed, Open, Risk_Accepted, and False_Positive
category.
 |
| kenna-cve-win.exe -h |
I also released a Win32 version that allow me to run on my Windows platform (uploaded to GitHub).
Try this and see:
c:\> kenna-cve-win.exe -v -c 2020-1337