ZeroLogon
a full white paper on this vuln:
Exploitation
Running the script should results in Domain Controller's account password being reset to an empty string.
test to see if the password was reseted:
Metasploit Module
The auxiliary/gather/windows_secrets_du p
module can be used to recover the original machine account password which can then be restored with this module by using the RESTORE
action and setting the PASSWORD
value.
Verification Steps
Exploit the vulnerability to remove the machine account password by replacing it with an empty string:
Recover the original machine account password
Restore the original machine account password
NBNAME : The NetBIOS name of the target domain controller. You can use the auxiliary/scanner/netbios/nbname
module to obtain this value. If this value is invalid the module will fail when making a Netlogon RPC request.
PASSWORD : The hex value of the original machine account password. This value is typically recovered from the target system's registry (such as by using the auxiliary/gather/windows_secrets_dump
Metasploit module) after successfully setting the value to an empty string within Active Directory using this module and the default REMOVE
action.
This value is only used when running the module with the RESTORE
action.
At this point the exploit/windows/smb/psexec
module can be used to achieve code execution if desired. Set the SMBUser
option to the machine account and the SMBPass
option to the empty password value.
Recover Password
Next, recover the original machine account password value using auxiliary/gather/windows_secrets_dump
. Look for the plain_password_hex
value in the $MACHINE.ACC
section.
Finally, restore the original value using this module.
PSEXEC
The hash is from secretsdump
output.
crackmapexec
The hash is from secretsdump
output.
Last updated