monkey/docs/content/reference/exploiters/Zerologon.md

---
title: "Zerologon"
date: 2021-01-31T19:46:12+05:30
draft: false
tags: ["exploit", "windows"]
---

The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).


### Description

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). The Zerologon exploiter takes advantage of this vulnerability to steal credentials from the domain controller. This allows the Infection Monkey to propagate to the machine using one of the brute force exploiters (for example, the SMB Exploiter).

To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).

### A note on safety

This exploiter is not safe for production or other sensitive environments. It
is, therefore, **not** enabled by default.

During successful exploitation, the Zerologon exploiter:

* will temporarily change the target domain controller's password.
* may break the target domain controller's communication with other systems in the network, affecting functionality.
* may change the administrator's password.
* will *attempt* to revert all changes.

While the Zerologon exploiter is usually successful in reverting its changes
and restoring the original passwords, it sometimes fails. Restoring passwords
manually after the Zerologon exploiter has run is nontrivial. For information
on restoring the original passwords, see the section on manually restoring your
passwords.

To minimize the risk posed by this exploiter, it is recommended that this
exploiter be run _only_ against VMs with a recent snapshot and _only_ in
testing or staging environments.


### Manually restoring your password

This exploiter attempts to restore the original passwords after exploitation.
It is usually successful, but it sometimes fails. If this exploiter has changed
a password but was unable to restore the original, you can try the following
methods to restore the original password.

#### Restore the VM from a recent snapshot

If the affected system is a virtual machine, the simplest way to restore it to
a working state is to revert to a recent snapshot.

#### Restore the administrator's password

If you are unable to log in as the administrator, you can follow the
instructions
[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)
to regain access to the system.

#### Use Reset-ComputerMachinePassword

If you are able to login as the administrator, you can use the
[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)
powershell command to restore the domain controller's password.


#### Try a zerologon password restoration tool
If all other approaches fail, you can try the tools and steps found
[here](https://github.com/risksense/zerologon).


### Notes

* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).
Add Zerologon to documentation 2021-01-31 22:49:01 +08:00			`---`
			`title: "Zerologon"`
			`date: 2021-01-31T19:46:12+05:30`
			`draft: false`
			`tags: ["exploit", "windows"]`
			`---`

			`The Zerologon exploiter exploits [CVE-2020-1472](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472).`


			`### Description`

Docs: Update Zerologon documentation to mention that brute force exploiters use its stolen creds 2021-10-26 22:26:33 +08:00			`An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). The Zerologon exploiter takes advantage of this vulnerability to steal credentials from the domain controller. This allows the Infection Monkey to propagate to the machine using one of the brute force exploiters (for example, the SMB Exploiter).`
Add Zerologon to documentation 2021-01-31 22:49:01 +08:00
			`To download the relevant security update and read more, click [here](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472).`

docs: Add warnings and password restoration instructions for Zerologon 2021-02-28 08:38:26 +08:00			`### A note on safety`

			`This exploiter is not safe for production or other sensitive environments. It`
			`is, therefore, not enabled by default.`

			`During successful exploitation, the Zerologon exploiter:`

			`* will temporarily change the target domain controller's password.`
			`* may break the target domain controller's communication with other systems in the network, affecting functionality.`
			`* may change the administrator's password.`
			`* will attempt to revert all changes.`

			`While the Zerologon exploiter is usually successful in reverting its changes`
			`and restoring the original passwords, it sometimes fails. Restoring passwords`
			`manually after the Zerologon exploiter has run is nontrivial. For information`
docs: add missing comma on zerologon docs Co-authored-by: Shreya Malviya <shreya.malviya@gmail.com> 2021-03-01 07:35:07 +08:00			`on restoring the original passwords, see the section on manually restoring your`
docs: Add warnings and password restoration instructions for Zerologon 2021-02-28 08:38:26 +08:00			`passwords.`

			`To minimize the risk posed by this exploiter, it is recommended that this`
			`exploiter be run _only_ against VMs with a recent snapshot and _only_ in`
			`testing or staging environments.`


			`### Manually restoring your password`

			`This exploiter attempts to restore the original passwords after exploitation.`
			`It is usually successful, but it sometimes fails. If this exploiter has changed`
			`a password but was unable to restore the original, you can try the following`
			`methods to restore the original password.`

			`#### Restore the VM from a recent snapshot`

			`If the affected system is a virtual machine, the simplest way to restore it to`
			`a working state is to revert to a recent snapshot.`

			`#### Restore the administrator's password`

			`If you are unable to log in as the administrator, you can follow the`
			`instructions`
			`[here](https://www.top-password.com/knowledge/reset-windows-server-2019-password.html)`
			`to regain access to the system.`

			`#### Use Reset-ComputerMachinePassword`

			`If you are able to login as the administrator, you can use the`
			`[Reset-ComputerMachinePassword](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1)`
			`powershell command to restore the domain controller's password.`


			`#### Try a zerologon password restoration tool`
docs: minor rewording in zerologon docs Co-authored-by: Shreya Malviya <shreya.malviya@gmail.com> 2021-03-01 07:34:47 +08:00			`If all other approaches fail, you can try the tools and steps found`
docs: Add warnings and password restoration instructions for Zerologon 2021-02-28 08:38:26 +08:00			`[here](https://github.com/risksense/zerologon).`


Add Zerologon to documentation 2021-01-31 22:49:01 +08:00
			`### Notes`

			`* The Infection Monkey exploiter implementation is based on implementations by [@dirkjanm](https://github.com/dirkjanm/CVE-2020-1472/) and [@risksense](https://github.com/risksense/zerologon).`