Open broadcast software is a popular broadcasting software for Windows,Linux and Mac os. The freature…
In this how to we are showing the exploitation of CVE-2020-1472 also name the zerologon vulnerability. Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.
Install a fresh new windows 2019 server and configure the DNS and Active directory.
In the first step you will perform your reconnaissance against the system. Try to find the machine name and domain name of the system.
In my example i use nmap to conduct the reconnaissance of the system with use of the nmap scripts options.
Nmap -sC -sV -p- -Pn 172.16.2.25
The nmap output shows the system name win2019dc and the domain name blaze.corp
In the second step we will use the CVE-2020-1472 exploit code of https://github.com/dirkjanm/CVE-2020-1472 with the system name and ip address as parameter. This exploit code will set the system account password for the host win2019dc to null (empty).
In the third step we use secretsdump.py of the impacket suite to dump the credentials. The -no-pass option is there due we have set the password to null in the previous step.
python3 ../impacket/examples/secretsdump.py -just-dc -no-pass win2019dc$\@172.16.2.25
With the results of step 3 you can use the administrator hash to dump the credentials again.
In this step we use wmiexec and the credentials of the administrator to get an shell on the server
Now we need to dump the SAM Security and SYSTEM in order to restore the original server credentials.
With lget we download the saves to our local system.
In this step we dump the credentials with use of secretsdump.py. What we are looking for is the plain_password of the $machine.acc
In the last step we use the restorepassword script and the machine name and -hexpass we found in the previous step to restore the system password.
Shell time ;)