kamiran.asia 4 Posted October 26, 2020 Share Posted October 26, 2020 Hi Dears. We find s.th in file security v7 - 7.2 . If attacker blocked by IDS ( for Example Zerologon attack ) Ip will not block for 1 hour ! is this a bug or a problem in 2008R2 ? Best regards. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,614 Posted October 26, 2020 Administrators Share Posted October 26, 2020 Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping. Link to comment Share on other sites More sharing options...
kamiran.asia 4 Posted October 26, 2020 Author Share Posted October 26, 2020 25 minutes ago, Marcos said: Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping. 192.168.235.1 is the attacker and CMD is from attacker PC. Attacker PC is my PC and Server is a VM. these two windows mix in one screen. 😊 Link to comment Share on other sites More sharing options...
kamiran.asia 4 Posted October 26, 2020 Author Share Posted October 26, 2020 (edited) Full Screen Shot ... Attacker Pc : 192.168.235.1 Server : 192.168.235.132 Edited October 26, 2020 by kamiran.asia Link to comment Share on other sites More sharing options...
itman 1,510 Posted October 26, 2020 Share Posted October 26, 2020 (edited) About CVE-2020-1472: Quote CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability Security Vulnerability Published: 08/11/2020 | Last Updated : 09/28/2020 MITRE CVE-2020-1472 An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address. Edited October 26, 2020 by itman Link to comment Share on other sites More sharing options...
kamiran.asia 4 Posted October 26, 2020 Author Share Posted October 26, 2020 2 minutes ago, itman said: About CVE-2020-1472: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address. Dear ITMan , This problem is just in 2008 R2 , In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked ! while other Security vendors like kaspersky , bitdefender and mcaffe ( As we tested ) did not detect this attack. we use picuslabs tool for this attack test . https://github.com/picussecurity/picuslabs/tree/master/CVE-2020-1472 Zerologon Also we test Other CVE-2020-1472 scripts and the result was the same as picuslabs tools. the Question is why at 2008 R2 Attack is blocked but attacker IP not blocked even when it is listed in Blacklist IP list ? Link to comment Share on other sites More sharing options...
itman 1,510 Posted October 26, 2020 Share Posted October 26, 2020 6 minutes ago, kamiran.asia said: This problem is just in 2008 R2 Did you verify that Network Protection is enabled? Link to comment Share on other sites More sharing options...
kamiran.asia 4 Posted October 26, 2020 Author Share Posted October 26, 2020 3 minutes ago, itman said: Did you verify that Network Protection is enabled? Yes Dear , As you can see in the picture we have Network section and attack is detected and Attacker Ip is listed in Black list of IDS. Link to comment Share on other sites More sharing options...
itman 1,510 Posted October 26, 2020 Share Posted October 26, 2020 (edited) 39 minutes ago, kamiran.asia said: In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked ! I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one? Did you try to connect to the 2008 R2 server other than using ping? Edited October 26, 2020 by itman Link to comment Share on other sites More sharing options...
kamiran.asia 4 Posted October 26, 2020 Author Share Posted October 26, 2020 10 minutes ago, itman said: I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one? Did you try to connect to the 2008 R2 server other than using ping? No Dear , Problem is Why IDS in 2008R2 did not block communication from attacker ip . attack will block but communication will not block for 1 hour for attacker IP. So hacker can attack over and over again. As you know when IDS block an IP address , All communications is block for 1 hour ( Ping , ... ) It seems that it is a bug or may be a lake of security in 2008 R2. Link to comment Share on other sites More sharing options...
itman 1,510 Posted October 27, 2020 Share Posted October 27, 2020 I am assuming that you have not purchased an ESU for the 2008R2 server? This is why it has not been patched? Personally, I wouldn't rely 100% on Eset IDS protection for this vulnerability. You might want to check this out: https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html Link to comment Share on other sites More sharing options...
kamiran.asia 4 Posted October 27, 2020 Author Share Posted October 27, 2020 6 hours ago, itman said: I am assuming that you have not purchased an ESU for the 2008R2 server? This is why it has not been patched? Personally, I wouldn't rely 100% on Eset IDS protection for this vulnerability. You might want to check this out: https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html As our test in our company ESET IDS can block Zerologon as this detection and block attacker IP for 1 hour : Link to comment Share on other sites More sharing options...
Recommended Posts