CVE-2020-1472 - Zero Logon vulnerability Python implementation

• A Python script which uses the Impacket library to test for CVE-2020-1472 - Zerologon vulnerability (credits to Secura research).
• The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.
• Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However, Netlogon’s ComputeNetlogonCredential function sets the IV to a fixed 16 bits – not randomized – meaning an attacker could control the deciphered text.
• "Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the [Domain Controller] itself) and set an empty password for that account in the domain,” according to Secura researchers.

• The script attempts to perform Netlogon authentication bypass. The script will terminate when succesfully performing the bypass.
• When a domain controller is patched, the script will stop after sending 2000 pairs of RPC calls (target is not vulnerable with a false negative chance of 0.04%).
• Note that by default this changes the password of the domain controller account. This allows to DCSync, but it also breaks communication with other DCs.
• More info and original research here

pip install impacket

or Download the impacket release here. Unpack it, and in the directory where you placed it, run:

pip install .

Given a domain controller named DC-NAME with IP address X.X.X.X, run the script as follows:

python cve-2020-1472.py DC-NAME X.X.X.X

The DC name is the NetBIOS computer name. If this name is not correct, the script will fail with a STATUS_INVALID_COMPUTER_NAME error.