skip to Main Content
06 12 090909 info@markict.nl

Hacking domain controller with zerologon vulnerability CVE-2020-1472

In this how to we are showing the exploitation of CVE-2020-1472 also name the zerologon vulnerability. Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.

Requirements:

Install a fresh new windows 2019 server and configure the DNS and Active directory.

Step 1:

In the first step you will perform your reconnaissance against the system. Try to find the machine name and domain name of the system.

In my example i use nmap to conduct the reconnaissance of the system with use of the nmap scripts options.

Nmap -sC -sV -p- -Pn 172.16.2.25

The nmap output shows the system name win2019dc and the domain name blaze.corp

Step 2:

In the second step we will use the CVE-2020-1472 exploit code of https://github.com/dirkjanm/CVE-2020-1472 with the system name and ip address as parameter. This exploit code will set the system account password for the host win2019dc to null (empty).

Step 3:

In the third step we use secretsdump.py of the impacket suite to dump the credentials. The -no-pass option is there due we have set the password to null in the previous step.

python3 ../impacket/examples/secretsdump.py -just-dc -no-pass win2019dc$\@172.16.2.25

Step 4:

With the results of step 3 you can use the administrator hash to dump the credentials again.

Step 5:

In this step we use wmiexec and the credentials of the administrator to get an shell on the server

Step 6:

Now we need to dump the SAM Security and SYSTEM in order to restore the original server credentials.

Step 7:

With lget we download the saves to our local system.

Step 8:

In this step we dump the credentials with use of secretsdump.py. What we are looking for is the plain_password of the $machine.acc

Step 9:

In the last step we use the restorepassword script and the machine name and -hexpass we found in the previous step to restore the system password.

Step 10

Shell time 😉

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top