exploiting-zerologon-vulnerability-cve-2020-1472

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes and instructs use of plaintext/hashed credentials embedded directly in command-line examples (e.g., explicit NTLM hash with -hashes and a placeholder for <original_hex_password>), which requires the agent to handle and output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content contains explicit, actionable exploitation instructions (exploit commands, DCSync/secretsdump usage, pass‑the‑hash, Golden Ticket guidance) that enable credential theft, privilege escalation and full domain compromise — clear malicious/abuse intent.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the NTLM hashes shown in the secretsdump output and reused in the psexec/wmiexec examples as real, high-entropy credentials. These 32-hex-character NTLM hashes (e.g., 32ed87bdb5fdc5e9cba88547376818d4, f3bc61e97fb14d18c42bcbf6c3a9055f, e4cba78b4c01d6e5c0e31ffff18e46ab) are directly usable for pass-the-hash authentication and therefore qualify as secrets.

Notes on ignored/benign items:

• The repeated aad3b435b51404eeaad3b435b51404ee value is the known LM-hash placeholder and is not a secret.
• Placeholders like <original_hex_password>, environment names (DC01, corp.local), example commands, and simple/obvious example strings are documentation artifacts and were ignored per the rules.