Table of Contents
- Introduction
- 1. Vulnerability Overview
- 2. Lab Setup (Tools + Env)
- 3. Step‑by‑Step Exploitation
- 4. Detection & Blue Team View
- 5. Patch & Mitigation Tips
- 6. References + Final Thoughts
“CVE-2020-1472” Zerologon: Full Domain Compromise in 3 Commands
The Zerologon vulnerability (CVE‑2020‑1472) is one of the most severe flaws discovered in Microsoft’s Netlogon protocol, impacting all versions of Windows Server from 2008 R2 through 2019. An unauthenticated attacker can impersonate any machine—including the Domain Controller—and obtain Domain Admin access in seconds, enabling full AD takeover.
The vulnerability works by exploiting a weakness in how Netlogon handles authentication between client machines and domain controllers. Zerologon allows unauthenticated attackers to impersonate any machine in the domain, including the Domain Controller, and gain Domain Admin access in a matter of seconds.
What makes Zerologon particularly dangerous is that it can be exploited without prior authentication, and no user interaction is required. The vulnerability can be exploited remotely by sending crafted packets over port 445 (SMB), which is widely open on unpatched servers.
This attack is so severe that once it is exploited, it grants attackers full control over the domain, enabling them to reset passwords, modify accounts, and do anything with the Active Directory infrastructure.
📌2. Vulnerability Overview
CVE-2020-1472: Zerologon
The Netlogon Remote Protocol (MS-NRPC) facilitates authentication and communication between clients and Domain Controllers (DC) in a Windows domain. This vulnerability lies in the authentication process, specifically the AES-CFB8 encryption algorithm used by Netlogon.
When a machine joins the domain, it has to establish trust with the Domain Controller (DC) via a process known as Netlogon authentication. One of the core operations is the establishment of a secure channel. Unfortunately, the algorithm used to encrypt certain authentication messages in the Netlogon protocol is weak. An attacker can exploit this weakness to bypass authentication entirely and impersonate any machine in the domain, including the Domain Controller.
3. Lab Setup (Tools + Env)
Here’s how you can set up a test environment to simulate the Zerologon attack:
| Component | Description |
|---|---|
| OS | Windows Server 2019 (Unpatched Domain Controller), Windows 10 (Attacker machine) |
| Tools | Impacket, Zerologon PoC, Mimikatz, Metasploit, BloodHound |
| Attacker Account | A low-privileged user (does not need any special permissions except access to the network) |
| Target | A Windows Server Domain Controller (unpatched or running pre-September 2020 updates) |
| Network Setup | Ensure both the attacker and target machine are on the same internal network, or simulate via VPN in a test lab. |
| Exploitable Vulnerability | Unpatched or missing Microsoft security update CVE-2020-1472 |
Required Tools:
- Impacket: A suite of Python classes to facilitate network penetration testing. Used to send and receive crafted packets, simulate Netlogon communication, and execute Zerologon exploitation.
- Zerologon PoC: A proof-of-concept script specifically designed to exploit CVE-2020-1472. It allows the attacker to easily craft the Netlogon packets and bypass authentication.
**4. Step-by-Step Exploitation**
Here’s how the attack works in 3 simple commands:
**Step 1: Identify Vulnerable Domain Controllers**
The first step in exploitation is to identify whether the Domain Controller (DC) is vulnerable. You can use Impacket’s tool to query the domain and check for any vulnerable systems.
- Check Netlogon version and if vulnerable using Impacket:
python3 [GetNPUsers.py](http://getnpusers.py/) -dc-ip <DC_IP> -domain <DOMAIN> -user <USER>If the request is successful, it indicates that the DC is vulnerable to Zerologon.
Step 2: Exploit the Zerologon Vulnerability
Now that we know the Domain Controller is vulnerable, we can exploit the vulnerability.
- Run Zerologon exploit using the PoC (Proof of Concept) script. This will send specially crafted packets to the Domain Controller, exploiting the weak cryptographic implementation and gaining unauthorized access.
python3 [zerologon.py](http://zerologon.py/) -target <dc_ip>The PoC script sends a series of crafted Netlogon messages that force the Domain Controller to authenticate the attacker without proper validation.
Alternatively, you can use Impacket’s ntlmrelayx to relay SMB authentication requests:
python3 [ntlmrelayx.py](http://ntlmrelayx.py/) -t nc://<dc_ip>:445This bypasses the normal authentication process and allows the attacker to impersonate any machine in the domain (including the Domain Controller itself).
Step 3: Gain Domain Admin Privileges
Once the attacker is able to impersonate the Domain Controller, they can escalate their privileges and take full control of the domain.
- Dumping credentials with Impacket:
python3 [secretsdump.py](http://secretsdump.py/) -target <dc_ip> -user <user> -password <password>This command allows you to extract hashes and credentials from the Domain Controller.
- Use Mimikatz to escalate privileges and dump passwords:
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"Once you have access to the Domain Admin credentials, you can change passwords, create new admin accounts, or reset account passwords.
**5. Detection & Blue Team View**
Detecting Zerologon can be challenging because it exploits a protocol-level vulnerability, leaving minimal traces. However, there are still signs that can help you identify the attack.
Key Detection Points:
- Event ID 4625 (Failed Login Attempts):
- High-frequency login failures from unauthorized users or machines may indicate an exploitation attempt.
- Event ID 4771 (Kerberos Pre-authentication Failures):
- Anomalies in Kerberos pre-authentication failures may be a sign that an attacker is trying to bypass authentication via Zerologon.
- Netlogon Traffic Analysis:
- Abnormal patterns in Netlogon traffic (like unauthorized machine trying to authenticate as the Domain Controller) can help detect exploitation attempts.
- You can set up Network Monitoring Tools such as Wireshark or Zeek to capture and analyze Netlogon traffic for anomalies.
- Monitor Netlogon-related logs:
- Regularly monitor logs such as Event ID 1200 (Netlogon Connection) and Event ID 8000 (Netlogon Failure).
- Any Netlogon authentication anomalies such as missing encryption or invalid messages can indicate an exploitation attempt.
**6. Patch & Mitigation Tips**
To prevent exploitation, patching is essential. Microsoft released a security patch in September 2020 for CVE-2020-1472 to fix this vulnerability.
- Apply Patches: Ensure that Windows Server and all systems in your domain have been updated with the latest security patches (especially the updates released in September 2020).
- Patch your Domain Controllers and Windows Servers immediately.
- You can check for missing updates using Windows Update or the Microsoft Update Catalog.
- Enforce SMB Signing:
- SMB Signing can help detect and block unauthenticated SMB traffic.
- Configure Group Policy to enforce SMB signing and protect against the Zerologon exploit.
- Limit Access to Netlogon Services:
- Restrict Netlogon access to trusted sources and IP ranges. Only allow Domain Controllers and authorized devices to communicate over Netlogon (port 445).
- Limit access to the Netlogon Remote Protocol (RPC) by configuring firewall rules.
- Monitor Netlogon Traffic:
- Set up network traffic analysis to detect suspicious traffic patterns associated with Netlogon authentication.
- Use SIEM tools like Splunk or Elastic Stack to correlate authentication events and monitor for any anomalies.
7. References + Final Thoughts
Official Microsoft Resources:
Tools:
Final Thoughts
Zerologon (CVE-2020-1472) is one of the most critical vulnerabilities in recent years because of its simplicity and potential impact. With just 3 commands, an attacker can take control of an entire domain, making this a high-risk vulnerability.
It’s vital for organizations to patch their systems immediately to prevent Zerologon exploitation. By following the detection and mitigation steps provided, you can protect your network from this highly damaging vulnerability.
If you haven’t already, make sure your domain controllers are up to date with the September 2020 security patches.