forked from p15670423/monkey
docs: Add warnings and password restoration instructions for Zerologon
This commit is contained in:
parent
2f99631ed4
commit
f094c3e9c1
docs/content/reference/exploiters
|
@ -7,12 +7,6 @@ tags: ["exploit", "windows"]
|
||||||
|
|
||||||
The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
|
The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
|
||||||
|
|
||||||
This exploiter is unsafe.
|
|
||||||
* It will temporarily change the target domain controller's password.
|
|
||||||
* It may break the target domain controller's communication with other systems in the network, affecting functionality.
|
|
||||||
|
|
||||||
It is, therefore, **not** enabled by default.
|
|
||||||
|
|
||||||
|
|
||||||
### Description
|
### Description
|
||||||
|
|
||||||
|
@ -20,6 +14,60 @@ An elevation of privilege vulnerability exists when an attacker establishes a vu
|
||||||
|
|
||||||
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
|
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
|
||||||
|
|
||||||
|
### A note on safety
|
||||||
|
|
||||||
|
This exploiter is not safe for production or other sensitive environments. It
|
||||||
|
is, therefore, **not** enabled by default.
|
||||||
|
|
||||||
|
During successful exploitation, the Zerologon exploiter:
|
||||||
|
|
||||||
|
* will temporarily change the target domain controller's password.
|
||||||
|
* may break the target domain controller's communication with other systems in the network, affecting functionality.
|
||||||
|
* may change the administrator's password.
|
||||||
|
* will *attempt* to revert all changes.
|
||||||
|
|
||||||
|
While the Zerologon exploiter is usually successful in reverting its changes
|
||||||
|
and restoring the original passwords, it sometimes fails. Restoring passwords
|
||||||
|
manually after the Zerologon exploiter has run is nontrivial. For information
|
||||||
|
on restoring the original passwords see the section on manually restoring your
|
||||||
|
passwords.
|
||||||
|
|
||||||
|
To minimize the risk posed by this exploiter, it is recommended that this
|
||||||
|
exploiter be run _only_ against VMs with a recent snapshot and _only_ in
|
||||||
|
testing or staging environments.
|
||||||
|
|
||||||
|
|
||||||
|
### Manually restoring your password
|
||||||
|
|
||||||
|
This exploiter attempts to restore the original passwords after exploitation.
|
||||||
|
It is usually successful, but it sometimes fails. If this exploiter has changed
|
||||||
|
a password but was unable to restore the original, you can try the following
|
||||||
|
methods to restore the original password.
|
||||||
|
|
||||||
|
#### Restore the VM from a recent snapshot
|
||||||
|
|
||||||
|
If the affected system is a virtual machine, the simplest way to restore it to
|
||||||
|
a working state is to revert to a recent snapshot.
|
||||||
|
|
||||||
|
#### Restore the administrator's password
|
||||||
|
|
||||||
|
If you are unable to log in as the administrator, you can follow the
|
||||||
|
instructions
|
||||||
|
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)
|
||||||
|
to regain access to the system.
|
||||||
|
|
||||||
|
#### Use Reset-ComputerMachinePassword
|
||||||
|
|
||||||
|
If you are able to login as the administrator, you can use the
|
||||||
|
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
|
||||||
|
powershell command to restore the domain controller's password.
|
||||||
|
|
||||||
|
|
||||||
|
#### Try a zerologon password restoration tool
|
||||||
|
If all other approaches have failed, you can try the tools and steps found
|
||||||
|
[here](https://github.com/risksense/zerologon).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Notes
|
### Notes
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue