Exploit Code for CVE-2020-1472 aka Zerologon
By default, will zeroing out the password of the domain controller account. NOTE: It will break things in production (eg. DNS, communication with other DC, etc)
Zerologon original researh and writeup: here
It attempts to perform the Netlogon authentication bypass. When a domain controller is patched, the detection script will give up after sending 2000 pairs of RPC calls, concludeing that the target is not vulnerable (with a false negative chance of 0.04%).
Requires Python 3.7 or higher and Pip. Install dependencies as follows:
pip install -r requirements.txt
It embeds a modified version of Impacket. Unnecessary as it has been merged
The script targets can be used to target a DC or backup DC. It likely also works against a read-only DC, but this has
not been tested. Given a domain controller named EXAMPLE-DC
and IP address 1.2.3.4
, run the script as follows:
./cve-2020-1472-exploit.py EXAMPLE-DC 1.2.3.4
The DC name should be its NetBIOS computer name. If this name is not correct, the script will likely fail with a
STATUS_INVALID_COMPUTER_NAME
error.