forked from p15670423/monkey
docs: Add warnings and password restoration instructions for Zerologon
This commit is contained in:
Mike Salvatore
parent
2f99631ed4
commit
f094c3e9c1
|
|
@ -7,12 +7,6 @@ tags: ["exploit", "windows"]
|
|||
|
||||
The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).
|
||||
|
||||
This exploiter is unsafe.
|
||||
* It will temporarily change the target domain controller's password.
|
||||
* It may break the target domain controller's communication with other systems in the network, affecting functionality.
|
||||
|
||||
It is, therefore, **not** enabled by default.
|
||||
|
||||
|
||||
### Description
|
||||
|
||||
|
|
@ -20,6 +14,60 @@ An elevation of privilege vulnerability exists when an attacker establishes a vu
|
|||
|
||||
To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).
|
||||
|
||||
### A note on safety
|
||||
|
||||
This exploiter is not safe for production or other sensitive environments. It
|
||||
is, therefore, **not** enabled by default.
|
||||
|
||||
During successful exploitation, the Zerologon exploiter:
|
||||
|
||||
* will temporarily change the target domain controller's password.
|
||||
* may break the target domain controller's communication with other systems in the network, affecting functionality.
|
||||
* may change the administrator's password.
|
||||
* will *attempt* to revert all changes.
|
||||
|
||||
While the Zerologon exploiter is usually successful in reverting its changes
|
||||
and restoring the original passwords, it sometimes fails. Restoring passwords
|
||||
manually after the Zerologon exploiter has run is nontrivial. For information
|
||||
on restoring the original passwords see the section on manually restoring your
|
||||
passwords.
|
||||
|
||||
To minimize the risk posed by this exploiter, it is recommended that this
|
||||
exploiter be run _only_ against VMs with a recent snapshot and _only_ in
|
||||
testing or staging environments.
|
||||
|
||||
|
||||
### Manually restoring your password
|
||||
|
||||
This exploiter attempts to restore the original passwords after exploitation.
|
||||
It is usually successful, but it sometimes fails. If this exploiter has changed
|
||||
a password but was unable to restore the original, you can try the following
|
||||
methods to restore the original password.
|
||||
|
||||
#### Restore the VM from a recent snapshot
|
||||
|
||||
If the affected system is a virtual machine, the simplest way to restore it to
|
||||
a working state is to revert to a recent snapshot.
|
||||
|
||||
#### Restore the administrator's password
|
||||
|
||||
If you are unable to log in as the administrator, you can follow the
|
||||
instructions
|
||||
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)
|
||||
to regain access to the system.
|
||||
|
||||
#### Use Reset-ComputerMachinePassword
|
||||
|
||||
If you are able to login as the administrator, you can use the
|
||||
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
|
||||
powershell command to restore the domain controller's password.
|
||||
|
||||
|
||||
#### Try a zerologon password restoration tool
|
||||
If all other approaches have failed, you can try the tools and steps found
|
||||
[here](https://github.com/risksense/zerologon).
|
||||
|
||||
|
||||
|
||||
### Notes
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue