https://az0th.it/tags/zerologon/ Recent content in Zerologon on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/kali/advanced-techniques/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/advanced-techniques/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>WebDAV Coercion → LDAP relay</td> <td>ntlmrelayx + PetitPotam</td> <td>WebClient running on target</td> <td>RBCD, shadow creds, DA</td> </tr> <tr> <td>gMSA password read</td> <td>gMSADumper / nxc</td> <td>Authorized principal</td> <td>Lateral movement</td> </tr> <tr> <td>Zerologon</td> <td>cve-2020-1472</td> <td>Network access to DC (pre-patch)</td> <td>Instant DA</td> </tr> <tr> <td>noPac (CVE-2021-42278/42287)</td> <td>noPac.py</td> <td>Domain user</td> <td>DA via KDC spoofing</td> </tr> <tr> <td>LAPS read</td> <td>nxc / ldapsearch</td> <td>Read perm on ms-Mcs-AdmPwd</td> <td>Local admin on target</td> </tr> <tr> <td>LSASS dump (offline parse)</td> <td>pypykatz</td> <td>LSASS dump file</td> <td>Credential extraction</td> </tr> <tr> <td>KrbRelayUp pre-check</td> <td>nxc ldap</td> <td>Network access</td> <td>Identify LDAP signing state</td> </tr> </tbody> </table> <hr> <h2 id="webdav-coercion--bypass-smb-signing-for-ntlm-relay">WebDAV Coercion — Bypass SMB Signing for NTLM Relay</h2> <h3 id="why-webdav-coercion-works">Why WebDAV Coercion Works</h3> <p>Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled.</p>