Overview
🔥 ZeroLogon Vulnerability (CVE-2020-1472)
🧠 1️⃣️ What is ZeroLogon?
ZeroLogon is a flaw in how Windows Domain Controllers authenticate themselves.
It allows an attacker to:
- Authenticate to the Domain Controller
- WITHOUT knowing any password
- By abusing a weak cryptographic implementation
👉 The result:
You can take over the Domain Controller
🧱 2️⃣️The Protocol Behind ZeroLogon
ZeroLogon abuses a protocol called:
Netlogon Remote Protocol (MS-NRPC)
This protocol is used for:
- Computer ↔ Domain Controller authentication
- Domain trust operations
- Machine account password changes
💡 Every Domain Controller has a machine account:DC01$
This account has:
- A password
- Very high privileges in the domain
🔐 3️⃣️The Root Cause (The Real Bug)
❌ What went wrong?
Microsoft used:
- AES-CFB8 encryption
- With a badly implemented initialization vector (IV)
Because of this:
- Sending all-zero values sometimes works
- Authentication can succeed without knowing the password
📌 The chance of success per try is:
1 out of 256
📌 After ~200–300 tries → success is almost guaranteed
🎯 4️⃣️What Does the Attacker Achieve?
Once the attack succeeds:
✅ You can:
- Authenticate as DC machine account
- Reset the DC machine password to NULL
- Fully control the domain
This leads to:
- Dumping domain hashes
- Creating Golden Tickets
- Full Domain Admin access
⚠️ This is domain compromise, not just privilege escalation.
🧪 5️⃣️When Is a Domain Vulnerable?
A domain is vulnerable if:
- Domain Controller is unpatched
- Windows Server:
- 2008 R2
- 2012
- 2016 (before patch)
- 2019 (before patch)
📌 Vulnerability is on the Domain Controller only
🧭 6️⃣️Attack Flow (Big Picture)
Let’s zoom out first 👇
Attacker
↓
Netlogon Authentication (zeros)
↓
DC accepts fake auth
↓
DC machine password reset to NULL
↓
Attacker becomes Domain Admin
🧰 7️⃣️Tools Used in Practice
Common tools you’ll see in labs:
- Impacket
- zerologon_tester.py
- secretsdump.py
- crackmapexec / nxc
- mimikatz (later stage)
Resources :
https://github.com/dirkjanm/CVE-2020-1472
https://github.com/SecuraBV/CVE-2020-1472
Course Features
- Lecture 1
- Quiz 0
- Duration Lifetime access
- Skill level All levels
- Language Arabic
- Students 0
- Assessments Yes
Curriculum
- 1 Section
- 1 Lesson
- Lifetime
- ZeroLogon Vuln.1
Instructor
Reviews
You May Like
ADCS Abuse ESC7
🧠 What Is ESC7? ESC7 happens when a low-privileged user has dangerous permissions over the Certification Authority (CA) itself. Specifically: If you have: Manage CA...
ADCS Abuse ESC6
🧠 What is AD CS ESC6? ESC6 = Misconfigured CA with EDITF_ATTRIBUTESUBJECTALTNAME2 enabled In simple words: 🧨 The Certificate Authority (CA) allows users to specify...
ADCS Abuse ESC2 – Metasploit
في هذا الدرس يتم شرح اسائة استخدام النماذج والشهادات – الجزء الثاني – بإستخدام كالي لينكس – ميتاسبلويت
ADCS Abuse ESC1 – Windows Certify & Metasploit
في هذا الدرس يتم شرح اسائة استخدام النماذج والشهادات – الجزء الثاني – بإستخدام سيرتيفاي ويندوز كالي لينكس – ميتاسبلويت الادوات المستخدمه – في...
NCrack VS Hydra
ncrack High-speed network authentication cracking tool Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively...