CVE-2020-1472 - Zero Logon vulnerability Python implementation
- A Python script which uses the Impacket library to test for CVE-2020-1472 - Zerologon vulnerability (credits to Secura research).
- The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
- Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized – meaning an attacker could control the deciphered text.
- "Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,” according to Secura researchers.
- The script attempts to perform Netlogon authentication bypass. The script will terminate when succesfully performing the bypass.
- When a domain controller is patched, the script will stop after sending 2000 pairs of RPC calls (target is not vulnerable with a false negative chance of 0.04%).
- Note that by default this changes the password of the domain controller account. This allows to DCSync, but it also breaks communication with other DCs.
- More info and original research here
pip install impacket
or Download the impacket release here. Unpack it, and in the directory where you placed it, run:
pip install .
Given a domain controller named DC-NAME
with IP address X.X.X.X
, run the script as follows:
python cve-2020-1472.py DC-NAME X.X.X.X
The DC name is the NetBIOS computer name. If this name is not correct, the script will fail with a
STATUS_INVALID_COMPUTER_NAME
error.