From f094c3e9c1eefd9074174794cd5233dcaf5c07d4 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Sat, 27 Feb 2021 19:38:26 -0500 Subject: [PATCH] docs: Add warnings and password restoration instructions for Zerologon --- .../content/reference/exploiters/Zerologon.md | 60 +++++++++++++++++-- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/docs/content/reference/exploiters/Zerologon.md b/docs/content/reference/exploiters/Zerologon.md index 4a893142b..db8f3ed4a 100644 --- a/docs/content/reference/exploiters/Zerologon.md +++ b/docs/content/reference/exploiters/Zerologon.md @@ -7,12 +7,6 @@ tags: ["exploit", "windows"] The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472). -This exploiter is unsafe. -* It will temporarily change the target domain controller's password. -* It may break the target domain controller's communication with other systems in the network, affecting functionality. - -It is, therefore, **not** enabled by default. - ### Description @@ -20,6 +14,60 @@ An elevation of privilege vulnerability exists when an attacker establishes a vu To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472). +### A note on safety + +This exploiter is not safe for production or other sensitive environments. It +is, therefore, **not** enabled by default. + +During successful exploitation, the Zerologon exploiter: + +* will temporarily change the target domain controller's password. +* may break the target domain controller's communication with other systems in the network, affecting functionality. +* may change the administrator's password. +* will *attempt* to revert all changes. + +While the Zerologon exploiter is usually successful in reverting its changes +and restoring the original passwords, it sometimes fails. Restoring passwords +manually after the Zerologon exploiter has run is nontrivial. For information +on restoring the original passwords see the section on manually restoring your +passwords. + +To minimize the risk posed by this exploiter, it is recommended that this +exploiter be run _only_ against VMs with a recent snapshot and _only_ in +testing or staging environments. + + +### Manually restoring your password + +This exploiter attempts to restore the original passwords after exploitation. +It is usually successful, but it sometimes fails. If this exploiter has changed +a password but was unable to restore the original, you can try the following +methods to restore the original password. + +#### Restore the VM from a recent snapshot + +If the affected system is a virtual machine, the simplest way to restore it to +a working state is to revert to a recent snapshot. + +#### Restore the administrator's password + +If you are unable to log in as the administrator, you can follow the +instructions +[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html) +to regain access to the system. + +#### Use Reset-ComputerMachinePassword + +If you are able to login as the administrator, you can use the +[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1) +powershell command to restore the domain controller's password. + + +#### Try a zerologon password restoration tool +If all other approaches have failed, you can try the tools and steps found +[here](https://github.com/risksense/zerologon). + + ### Notes