The ZeroLogon vulnerability allows an unauthenticated attacker to set DC machine account password to null so that he can dump all hashes (including krbtgt).
Avoid using it in actual engagement!
If the password is not restored later, the entire AD infrastructure will malfunction, so do not exploit in an actual engagement (use the checker script instead).
See implementation.
Use the included checker script to confirm vulnerability.
To exploit, run the exploit script with DC name and IP. The exploit is successful if secretsdump.py against the DC machine account authenticates successfully with an empty password (e.g. secretsdump.py -just-dc 'DOMAIN/DC$'@10.10.10.2
). This will dump all password hashes among other things.
To restore the DC password, copy the administrator hash from the earlier dump, and use secretsdump.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:ADMIN_NTLM_HASH
. Find the line with plain_password_hex
of the DC machine account and save it. Pass it as the -hexpass
argument with the restore script in the repo.