Zerologon (CVE-2020-1472) is a critical vulnerabilities in Active Directory. I’m dedicating a separate section to this because, if misimplemented, it has the potential to compromise the entire domain controller or admin access.
Important Note: DO NOT ATTEMPT THIS UNLESS IN A CONTROLLED, VIRTUAL ENVIRONMENT.
Ensure you are able to restore the system before proceeding.
Step-by-Step Process to Check for Zerologon Vulnerability
Check if the Domain is Vulnerable:
Use the following script to test if your domain is vulnerable to Zerologon:
python3zerologon_tester.py<domain-name><ip>
WARNING again: Only run this in a virtual environment or if you're certain you can restore the system (which is unlikely).
Execute the following command to initiate the attack:
Verify if the Attack Succeeded:
If successful, the domain will likely be compromised. To confirm this, use the SecretsDump tool to attempt to retrieve the credentials of domain controllers:
Restore the Machine:
Once the attack is complete and credentials have been dumped, immediately restore the machine. To begin, you will need to capture the administrator hash.
Use the following command to dump the administrator hash:
Recover the Password:
After obtaining the administrator hash, use the Restore Password Script to reset the administrator password.
Critical Reminder:DO NOT attempt these actions on live systems or without proper authorization. This guide is purely for educational and controlled testing purposes.
