In this how to we are showing the exploitation of CVE-2020-1472 also name the zerologon vulnerability. Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.
Requirements:
Install a fresh new windows 2019 server and configure the DNS and Active directory.
Step 1:
In the first step you will perform your reconnaissance against the system. Try to find the machine name and domain name of the system.
In my example i use nmap to conduct the reconnaissance of the system with use of the nmap scripts options.
Nmap -sC -sV -p- -Pn 172.16.2.25
The nmap output shows the system name win2019dc and the domain name blaze.corp
Step 2:
In the second step we will use the CVE-2020-1472 exploit code of https://github.com/dirkjanm/CVE-2020-1472 with the system name and ip address as parameter. This exploit code will set the system account password for the host win2019dc to null (empty).
Step 3:
In the third step we use secretsdump.py of the impacket suite to dump the credentials. The -no-pass option is there due we have set the password to null in the previous step.
python3 ../impacket/examples/secretsdump.py -just-dc -no-pass win2019dc$\@172.16.2.25
Step 4:
With the results of step 3 you can use the administrator hash to dump the credentials again.
Step 5:
In this step we use wmiexec and the credentials of the administrator to get an shell on the server
Step 6:
Now we need to dump the SAM Security and SYSTEM in order to restore the original server credentials.
Step 7:
With lget we download the saves to our local system.
Step 8:
In this step we dump the credentials with use of secretsdump.py. What we are looking for is the plain_password of the $machine.acc
Step 9:
In the last step we use the restorepassword script and the machine name and -hexpass we found in the previous step to restore the system password.
Step 10
Shell time 😉
