forked from p34709852/monkey
75 lines
2.9 KiB
Markdown
75 lines
2.9 KiB
Markdown
---
|
|
title: "Zerologon"
|
|
date: 2021-01-31T19:46:12+05:30
|
|
draft: false
|
|
tags: ["exploit", "windows"]
|
|
---
|
|
|
|
The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
|
|
|
|
|
|
### Description
|
|
|
|
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
|
|
|
|
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
|
|
|
|
### A note on safety
|
|
|
|
This exploiter is not safe for production or other sensitive environments. It
|
|
is, therefore, **not** enabled by default.
|
|
|
|
During successful exploitation, the Zerologon exploiter:
|
|
|
|
* will temporarily change the target domain controller's password.
|
|
* may break the target domain controller's communication with other systems in the network, affecting functionality.
|
|
* may change the administrator's password.
|
|
* will *attempt* to revert all changes.
|
|
|
|
While the Zerologon exploiter is usually successful in reverting its changes
|
|
and restoring the original passwords, it sometimes fails. Restoring passwords
|
|
manually after the Zerologon exploiter has run is nontrivial. For information
|
|
on restoring the original passwords, see the section on manually restoring your
|
|
passwords.
|
|
|
|
To minimize the risk posed by this exploiter, it is recommended that this
|
|
exploiter be run _only_ against VMs with a recent snapshot and _only_ in
|
|
testing or staging environments.
|
|
|
|
|
|
### Manually restoring your password
|
|
|
|
This exploiter attempts to restore the original passwords after exploitation.
|
|
It is usually successful, but it sometimes fails. If this exploiter has changed
|
|
a password but was unable to restore the original, you can try the following
|
|
methods to restore the original password.
|
|
|
|
#### Restore the VM from a recent snapshot
|
|
|
|
If the affected system is a virtual machine, the simplest way to restore it to
|
|
a working state is to revert to a recent snapshot.
|
|
|
|
#### Restore the administrator's password
|
|
|
|
If you are unable to log in as the administrator, you can follow the
|
|
instructions
|
|
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)
|
|
to regain access to the system.
|
|
|
|
#### Use Reset-ComputerMachinePassword
|
|
|
|
If you are able to login as the administrator, you can use the
|
|
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
|
|
powershell command to restore the domain controller's password.
|
|
|
|
|
|
#### Try a zerologon password restoration tool
|
|
If all other approaches fail, you can try the tools and steps found
|
|
[here](https://github.com/risksense/zerologon).
|
|
|
|
|
|
|
|
### Notes
|
|
|
|
* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).
|