search
Personal BlogTwitterGitHubContact

Zerologon

Zerologon (CVE-2020-1472) should only be exploited if you are aware of the consequences. Exploitation will result in the domain controller machine password being changed and will break domain replication if not restored to the original setting.

hashtag
Checking for Zerologon 

# Checking exploitability CrackMapExec
crackmapexec $ip smb -u $username -p $password -M zerologon

# Checking exploitability with Metasploit
use auxiliary/dmin/dcerpc/cve_2020_1472_zerologon
set rhosts $ip
check

# https://github.com/SecuraBV/CVE-2020-1472
./zerologon_tester.py $dcnetbiosname $ip

hashtag
Exploiting Zerologon

LogoGitHub - dirkjanm/CVE-2020-1472: PoC for Zerologon - all research credits go to Tom Tervoort of SecuraGitHubchevron-right

hashtag
References

LogoZerologon (CVE-2020-1472): Overview, Exploit Steps and PreventionCrowdStrike.comchevron-right
LogoHow to exploit Zerologon (CVE-2020-1472)Sprocket Securitychevron-right
PreviousShadow CredentialsNextDatabase Management System (DBMS)

Last updated