Zerologon

Zerologon (CVE-2020-1472) should only be exploited if you are aware of the consequences. Exploitation will result in the domain controller machine password being changed and will break domain replication if not restored to the original setting.

Checking for Zerologon

# Checking exploitability CrackMapExec
crackmapexec $ip smb -u $username -p $password -M zerologon

# Checking exploitability with Metasploit
use auxiliary/dmin/dcerpc/cve_2020_1472_zerologon
set rhosts $ip
check

# https://github.com/SecuraBV/CVE-2020-1472
./zerologon_tester.py $dcnetbiosname $ip

Exploiting Zerologon

GitHub - dirkjanm/CVE-2020-1472: PoC for Zerologon - all research credits go to Tom Tervoort of SecuraGitHub

References

Zerologon (CVE-2020-1472): Overview, Exploit Steps and Preventioncrowdstrike.com

How to exploit Zerologon (CVE-2020-1472) | Sprocket SecuritySprocket Security

PreviousShadow Credentials NextDatabase Management System (DBMS)

Last updated 1 year ago