Zero Logon to bypass authentication on the Domain Controller's Machine Account -> Run Secretsdump.py to dump credentials -> Crack/Pass Domain Admin Hashes -> ??? -> Profit

MS-NRPC Logon

Netlogon handshake between Client (domain-joined computer) and Server (domain-controller).
RPC traffic

sequenceDiagram
    participant Client
    participant Server
Client ->> Server: Client challenge
Server ->> Client: Server challenge, Session Key = KDF(secret, challenges)
Client ->> Server: Client credential, Encrypt(K_sess, client challenge)
Server ->> Client: Client credential, Encrypt(K_sess, client challenge)
Client ->> Server: Signed + sealed with session key: Procedure call with authenticator

Zero Logon attack. Zeroing parameters and retrying handshakes with an empty password on the domain controller.

sequenceDiagram
    participant Client
    participant Server
Client ->> Server: NetrServerReqChallenge (challenge=0000...00)
Server ->> Client: Server Challenge
Client ->> Server: NetrServerAuthenticate3 (identity=DC; credential=0000...00; sign/seal=0)
Server ->> Client: OK
Client ->> Server: NetrServerPasswordSet2 (target=DC; authenticator=0000...00; timestamp=0; enc.password=0000...00)

Client sends 16 Bytes of 0 as Nonce to domain-controller
Server receives NetServerReqChallenge and generates challenge (Nonce). Sends it to the client.
NetrServerAuthenticate3 method is generated as NetLogon credentials. Contains the following
1. Custom Binding Handle
2. Account Name
3. Secure Channel Type, nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
4. Computer Name, Domain Controller DC01
5. Client Credential String, 16 Bytes of \x00
6. Negotiation Flags, value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura
NetrServerAuthenticate is received by server. Responds success if positive to the client.
If same values is calculated by the server, mutual agreement is confirmed by the client as well.

Zero Logon

MS-NRPC (Microsoft NetLogon Remote Protocol)

Kill Chain

MS-NRPC Logon

PoC