# Zerologon

Zerologon (CVE-2020-1472) should only be exploited if you are aware of the consequences. Exploitation will result in the domain controller machine password being changed and will break domain replication if not restored to the original setting. 

### Checking for Zerologon 

```bash
# Checking exploitability CrackMapExec
crackmapexec $ip smb -u $username -p $password -M zerologon

# Checking exploitability with Metasploit
use auxiliary/dmin/dcerpc/cve_2020_1472_zerologon
set rhosts $ip
check

# https://github.com/SecuraBV/CVE-2020-1472
./zerologon_tester.py $dcnetbiosname $ip
```

### Exploiting Zerologon

{% embed url="<https://github.com/dirkjanm/CVE-2020-1472>" %}

### References

{% embed url="<https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/>" %}

{% embed url="<https://www.sprocketsecurity.com/resources/how-to-exploit-zerologon>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/zerologon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.