Zerologon: From Zero to Hero – Part 2

How Does it Work?

In Part 1 of this blog series (What is Zerologon?), we discussed how Zerologon exploits a vulnerability in NetLogon that allows a malicious actor on your network to take over a Domain Controller (DC), and eventually your entire domain. Now let’s dive into the specifics of how Zerologon works.

Using Mimikatz to Execute the Zerologon Exploit

For starters, you can easily identify if a target domain controller is vulnerable to the Zerologon exploit with Mimikatz by running:

lsadump::Zerologon /target:sbpmlab-dc3 /account:sbpmlab-dc3$ /null /ntlm

In the instance that it comes back as vulnerable, we can then run the same command, but add…

/exploit

…to actually exploit the vulnerability and change the Domain Controller’s password to an empty string.

As you can tell from the results after running the command, Mimikatz is claiming it set the password of the Domain Controller, which may mean that it is unstable, but also something that we can exploit. From here, an attacker can use Mimikatz to also run a DCSync attack and get the hash of a domain admin account or the KRBTGT account.

lsadump::dcsync /domain:sbpmlab.net /dc:sbpmlab-dc3 /user:krbtgt /authuser:sbpmlab-dc3$ /authdomain:sbpmlab /authpassword:”” /authntlm

It’s really that simple. With just a couple steps, you can see how easy it is to exploit this vulnerability (provided a malicious actor can get onto your network and find a Domain Controller that is unpatched).

The biggest takeaway from this quick proof of concept should be that you must urgently patch your Domain Controllers with the August 11^th security update, if you haven’t already.

Zerologon Detection and Mitigation Solution

Alright, so we went over the new patch and update plans from Microsoft in Part 1, as well as the attack itself here in Part 2. In my next blog, I spend a little time outlining how Stealthbits can help. Check it out!