🧙♀️Abusing ZeroLogon
CVE-2020-1472
Github: https://github.com/dirkjanm/CVE-2020-1472
Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.
Methodology:
I took the pictures on this GitHub:
Since Zerologon is a very dangerous exploit that can cause damage to a DC, it's best to just run the check script and notify your client:
But if we ever need to try this attack, here are the steps →
If the target is vulnerable, we just need to throw in the following command:
This will lead to putting the passwords to null, thus enabling us to be able to dump anything on the DC:
Then we could technically do anything we want on the DC like getting a shell:
We quicly need to restore the domain credentials after performing this attack
To restore the password and the overall "integrity" of the domain, these are the following steps:
Now we need to look for this variable in the output, the plan_password_hex:
and to restore the previous state that was stable, we can run the integrated script that zerologon provides; This will first authenticate with the empty password to the same DC and then set the password back to the original one.:
Last updated