Zerologon

This repository is a mixed offensive lab/project bundle rather than a single cohesive exploit. It contains three major components: (1) a Python proof-of-concept exploit for CVE-2020-25213 against the WordPress wp-file-manager plugin, (2) Zerologon exploitation scripts for CVE-2020-1472 targeting Windows domain controllers, and (3) a full copy of the Chisel tunneling utility used as supporting infrastructure for pivoting/tunneling. The most direct exploit code is Python-exploit-CVE-2020-25213/exploit.py. That script takes a base URL and a command, posts a handcrafted multipart/form-data request to /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php, uploads a PHP file named shell<random>.php containing shell_exec($_REQUEST['cmd']), and then triggers it via /wp-content/plugins/wp-file-manager/lib/files/shell<random>.php?cmd=<command>. This is a real unauthenticated arbitrary file upload leading to RCE against wp-file-manager 6.0-6.9. It is operational but simple: payload is hardcoded, no cleanup, no target validation, and minimal error handling. The zerologon/ directory contains two Python scripts derived from public Zerologon research. set_empty_pw.py repeatedly attempts Netlogon authentication with all-zero challenge/credential values over MSRPC (ncacn_ip_tcp) until successful, then issues NetrServerPasswordSet2 to set the target DC machine account password to an empty string. reinstall_original_pw.py performs a similar authentication bypass and uses a custom NetrServerPasswordSet RPC structure to restore a supplied original NT hash. These are exploitation scripts, not scanners, and enable severe post-exploitation outcomes when used against an unpatched domain controller. The chisel/ directory is not exploit code for a CVE; it is a legitimate Go-based TCP/UDP-over-HTTP tunneling tool with client/server modes, WebSocket transport, SSH-based encryption/authentication, optional SOCKS5, reverse tunneling, TLS/mTLS, and proxy support. In the context of this repository, it appears to be included as an operator utility for pivoting or exposing internal services during the broader attack chain described in the top-level README. Repository structure therefore suggests a coursework/demo attack chain: compromise a vulnerable WordPress client via CVE-2020-25213, use Chisel for tunneling/pivoting, and exploit a vulnerable Windows Server 2019 domain controller via Zerologon. The included code is actionable and offensive, with the WordPress exploit providing immediate command execution and the Zerologon scripts enabling domain-level compromise under the required vulnerable conditions.

This repository is a small standalone Python-based Active Directory offensive/audit utility, not tied to a major exploit framework. It contains one primary executable script (noemvex_apex.py), a README, a requirements file, and a .gitignore. The script is the clear entry point and requires root privileges on Unix-like systems before execution. Core capabilities implemented in code: - SMB signing assessment using Impacket SMBConnection to determine whether signing is required, identifying NTLM relay exposure. - Netlogon/DCERPC probing for ZeroLogon-related exposure using a DCERPC binding string over TCP/135. The implementation is only a lightweight endpoint exposure/probe, not a full CVE-2020-1472 exploitation routine. - Authenticated LAPS extraction using ldap3 with NTLM authentication. When credentials are supplied, it binds to LDAP on the target, searches the default naming context for computer objects with the ms-Mcs-AdmPwd attribute, and prints/stores recovered passwords. - Local reporting and logging through apex_log.txt and an HTML dashboard summarizing vulnerabilities and any recovered credentials. Repository structure and purpose: - noemvex_apex.py: Main operational script containing CLI parsing, privilege check, SMB/RPC/LDAP logic, and HTML report generation. - README.md: Describes intended AD-focused use cases, examples, and claimed capabilities. - requirements.txt: Lists Python dependencies; only impacket and ldap3 are materially used by the script, while requests and beautifulsoup4 appear unused. - .gitignore: Excludes Python cache, .env files, generated loot directories, and packet captures. Assessment of exploit nature: This is a real offensive security tool with credential-access and network reconnaissance functionality, but it is not a full weaponized exploit for ZeroLogon. The SMB signing check is functional, and the LAPS dumping logic is operational if valid credentials with sufficient LDAP read rights are provided. The ZeroLogon portion is best characterized as a probe/detection-style network check embedded within a broader offensive utility rather than a complete exploit chain.

This repository provides a Python script ('zerologon.py') that exploits the Zerologon vulnerability (CVE-2020-1472) in Microsoft Windows Domain Controllers. The exploit leverages a cryptographic flaw in the Netlogon authentication protocol, allowing an unauthenticated attacker to impersonate any computer, including the domain controller itself. The script attempts up to 2000 Netlogon authentication requests with all-zero credentials to achieve a successful bypass. If successful, it can optionally reset the DC's machine account password to an empty string, effectively granting the attacker full control over the domain. The script also provides a mechanism to restore the original password if the hash is available. The repository is structured for educational/lab use, with dependencies managed via 'pyproject.toml' and 'uv.lock'. The main exploit logic resides in 'zerologon.py', which is the only code file. No hardcoded endpoints are present; the target DC's NetBIOS name and IP address are supplied by the user at runtime. The attack vector is network-based, targeting the Netlogon RPC service on the DC. This exploit is operational and demonstrates real-world impact in a controlled environment.

This repository implements a working exploit for the Zerologon vulnerability (CVE-2020-1472), which affects Microsoft Active Directory Domain Controllers. The main exploit is written in C++ (Zerologon/main.cpp) and leverages the Netlogon Remote Protocol (MS-NRPC) to send repeated authentication requests with all-zero credentials to the target DC. If successful, it resets the machine account password to an empty value, enabling full domain compromise. The exploit is operational and provides clear usage instructions, including post-exploitation steps using tools like secretsdump.py (Impacket) for credential extraction. The repository also includes a Python script (secretsdump.py) for post-exploitation, Visual Studio project files for building the exploit, and comprehensive documentation in the README. The attack vector is network-based, requiring access to the target DC over the network. No hardcoded IPs or domains are present; the target is specified at runtime. The exploit is not part of a framework and is a standalone operational tool.

This repository is a comprehensive toolkit for post-exploitation and credential access in Windows Active Directory environments, with a focus on leveraging the Zerologon vulnerability (CVE-2020-1472) and a wide array of Impacket-based tools. The structure includes numerous Python scripts, each targeting specific attack vectors or credential extraction techniques: - **Zerologon Exploit**: The README and usage examples show how to exploit CVE-2020-1472 to set a machine account password to an empty string, enabling further attacks such as domain controller secrets dumping. - **Credential Dumping and Lateral Movement**: Tools like `secretsdump.py`, `wmiexec.py`, `dcomexec.py`, and `atexec.py` allow for dumping credentials, executing commands remotely, and moving laterally within a Windows domain. - **Active Directory Reconnaissance**: Scripts such as `GetADUsers.py`, `GetADComputers.py`, `GetUserSPNs.py`, and `GetNPUsers.py` enumerate users, computers, and service principal names, supporting attacks like Kerberoasting and AS-REP roasting. - **Password Extraction**: `Get-GPPPassword.py` extracts and decrypts Group Policy Preferences passwords, while `GetLAPSPassword.py` targets LAPS-managed local admin passwords. - **Account Manipulation**: `addcomputer.py` and `changepasswd.py` allow for adding computer accounts and changing passwords via various protocols (SMB, RPC, LDAP, Kerberos). - **Other Tools**: The repository includes scripts for DPAPI secrets extraction, DACL editing, ticket analysis, and more. The codebase is primarily Python, with a modular structure and many entry points. Most tools require network access to SMB (port 445) or RPC (port 135), and some require valid credentials or specific permissions. The repository is operational and widely used in penetration testing and red teaming for post-exploitation, credential access, and Active Directory attacks.

This repository contains an operational exploit for CVE-2020-1472 (Zerologon), a critical vulnerability in Microsoft Windows Domain Controllers. The main exploit script, 'cve-2020-1472-exp.py', leverages the Zerologon flaw to reset the machine account password of a target DC to an empty string by abusing the Netlogon protocol with all-zero credentials. The script can be run against a single target or in batch mode using the provided INI configuration file ('cve-2020-1472.ini'), which specifies parameters for batch exploitation, such as the Python interpreter path and target port (389/LDAP). The repository also includes 'secretsdump.py', a credential dumping tool that can be used post-exploitation to extract sensitive information from the compromised DC. The exploit requires network access to the target DC and is effective only against unpatched systems. The code is written in Python and relies on the impacket library for network protocol manipulation. Overall, the repository provides a practical and effective toolset for exploiting and post-exploitation of the Zerologon vulnerability.

This repository contains a Python proof-of-concept exploit for CVE-2020-1472 (Zerologon), a critical privilege escalation vulnerability in Microsoft Windows domain controllers. The repository consists of a README.md with detailed usage instructions and a single exploit script, zerologon.py. The script can check if a domain controller is vulnerable and, if the '-exploit' flag is used, will reset the machine account password of the domain controller to a blank value, use secretsdump to extract NTDS password hashes (including domain admin credentials), and then restore the original password to minimize disruption. The exploit targets the Netlogon Remote Protocol (MS-NRPC) over the network, typically using port 445, but can also use ports 135 or 139. The script requires the latest impacket library and network access to the target domain controller. The exploit is operational and can be used to gain full domain admin privileges if the target is vulnerable. The README provides detection and mitigation guidance, as well as a list of affected Windows Server versions.

This repository is a proof-of-concept exploit toolkit for CVE-2020-1472 (Zerologon), targeting unpatched Microsoft Windows domain controllers. The main exploit logic resides in 'zer0dump.py', which implements the Zerologon attack by abusing a cryptographic flaw in the Netlogon protocol. The attack allows an unauthenticated attacker to reset the domain controller's machine account password to a known value, effectively granting full control over the domain controller. The toolkit is modular and leverages several supporting scripts: - 'zer0dump.py': Orchestrates the Zerologon attack, resets the DC password, dumps secrets, and executes commands. - 'psexec.py': Provides remote command execution capabilities over SMB by installing a service on the target. - 'reg.py': Allows remote registry manipulation, useful for post-exploitation or persistence. - 'secretsdump.py': Dumps sensitive secrets (e.g., NTDS.dit, SAM, LSA secrets) from the compromised domain controller. - 'requirements.txt': Lists Python dependencies, including 'impacket', which provides the low-level protocol support. The exploit requires network access to the target's SMB and Netlogon services (ports 445/139). It is operational and can fully compromise a vulnerable domain controller, allowing for credential extraction and arbitrary command execution. The code is written in Python and is based on and extends the functionality of the Impacket toolkit. No hardcoded IPs or domains are present; the target is specified at runtime. The exploit is not a detection script but a full weaponized attack chain for Zerologon.

This repository contains a Python proof-of-concept exploit for CVE-2020-1472 (Zerologon), targeting Microsoft Windows Domain Controllers. The main script, 'zerologon.py', attempts to exploit the cryptographic flaw in the Netlogon authentication protocol by sending repeated authentication requests with all-zero credentials to the Netlogon service, either over RPC/TCP or RPC/SMB. The script requires the NetBIOS name and IP address of the target DC, and optionally domain user credentials for SMB-based tests. If the attack is successful, it indicates the DC is vulnerable and can be fully compromised. The repository includes a README with usage instructions, a requirements.txt listing Python dependencies (notably impacket), and a standard MIT license. The exploit is a direct implementation of the Zerologon attack and does not include post-exploitation payloads, focusing solely on vulnerability detection and proof-of-concept exploitation.

This repository provides a functional exploit for CVE-2020-1472 (Zerologon), a critical privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC) used by Windows Active Directory Domain Controllers. The main exploit script, 'cve-2020-1472-exploit.py', attempts to authenticate to the Netlogon service of a target DC using all-zero credentials, exploiting a cryptographic flaw to reset the machine account password to an empty string. This enables an attacker to fully compromise the domain controller, extract all domain credentials, and gain domain admin privileges. The 'zerologon_tester.py' script checks if a DC is vulnerable without making changes, while 'restorepassword.py' can restore the DC's machine account password if the hash is known. The repository is written in Python and relies on the impacket library for protocol interactions. The attack vector is network-based, targeting the Netlogon service over TCP ports 445, 139, or 135. No hardcoded IPs or domains are present; the scripts require the attacker to specify the target DC's name and IP address. The repository is operational and provides all necessary components to exploit and remediate the vulnerability.

This repository is a C++ implementation of the Zerologon exploit (CVE-2020-1472), targeting unpatched Microsoft Windows Domain Controllers. The main exploit logic resides in 'Zerologon/main.cpp', which uses Windows Netlogon protocol functions (via netapi32.dll) to exploit a cryptographic flaw and reset the machine account password of a target DC to an empty value. The exploit requires the attacker to provide the FQDN, NetBIOS name, and machine account name of the target DC. If successful, it enables further attacks such as DCSync or Pass-the-Hash. The repository includes Visual Studio project files for building the exploit as a standalone executable. No detection or fake code is present; this is a functional exploit for operational use against vulnerable Windows environments.

This repository contains operational exploit code for CVE-2020-1472 (ZeroLogon), a critical vulnerability in the Netlogon Remote Protocol (MS-NRPC) affecting Microsoft Windows Domain Controllers. The exploit consists of two main Python scripts: - `set_empty_pw.py`: Exploits the cryptographic flaw in Netlogon to reset the DC's machine account password to an empty string by sending specially crafted authentication requests with all-zero credentials. This enables an attacker to impersonate the DC and obtain domain admin credentials using tools like `secretsdump.py`. - `reinstall_original_pw.py`: After exploitation, this script allows the attacker to restore the original machine account password hash, helping to avoid detection and maintain DC functionality. The exploit requires the attacker to know the NetBIOS name and IP address of the target DC. It interacts directly with the Netlogon service over the network (MSRPC, typically on port 445/tcp or 139/tcp). The repository also includes a `requirements.txt` specifying dependencies (notably a specific version of Impacket), and a README.md with detailed usage instructions and attack workflow. The code is not part of a framework and is standalone, operational exploit code. No hardcoded IPs or domains are present; the target is specified at runtime.

This repository contains a working proof-of-concept (PoC) exploit for CVE-2020-1472, also known as Zerologon, targeting Microsoft Active Directory Domain Controllers. The main exploit script (CVE-2020-1472.py) attempts to exploit a cryptographic flaw in the Netlogon protocol by sending authentication requests with all-zero credentials, allowing an unauthenticated attacker to reset the machine account password of the domain controller to a known value (all zeros). This enables further attacks, such as dumping secrets or full domain compromise. The repository also includes a recovery script (reinstall_original_pw.py) to restore the original machine account password if the hash is known, and a requirements.txt file listing necessary Python dependencies (notably impacket). The README provides usage instructions and references to related tools and original research. The exploit operates over the network, targeting the Netlogon service (TCP) on the DC, and requires the NetBIOS name and IP address of the target. This PoC is intended for testing and research purposes and should not be used in production environments.

This repository contains a Python exploit (ADZero.py) for CVE-2020-1472 (Zerologon), targeting vulnerable Microsoft Windows Domain Controllers. The main script, ADZero.py, automates the full attack chain: it connects to the target DC's Netlogon service using the Zerologon vulnerability, resets the machine account password to a known value (empty), and then uses Impacket tools (secretsdump.py and smbexec.py) to dump the Administrator account's NTLM hash and obtain a SYSTEM shell via pass-the-hash. The exploit requires only the target DC's IP address as input. The repository also includes a README (in Turkish) with detailed usage instructions, a requirements.txt specifying Impacket as a dependency, and a .gitignore. The attack vector is network-based, requiring access to the target's Netlogon service. The exploit is operational and automates privilege escalation to full domain compromise if the target is unpatched.

This repository contains a working exploit for CVE-2020-1472, also known as Zerologon. The main file, 'CVE-2020-1472.py', is a Python script that targets a Windows Domain Controller's Netlogon service using the MSRPC protocol. It leverages a cryptographic flaw to perform repeated authentication attempts with all-zero credentials. Upon success, it resets the DC's machine account password to a known value, allowing full domain compromise. The script requires the NetBIOS name and IP address of the target DC as arguments. The 'nrpc.py' file is a large dependency implementing the MS-NRPC protocol, used to craft and send the necessary RPC requests. The exploit is operational and can be used to fully compromise vulnerable domain controllers over the network. No hardcoded endpoints are present; the target is specified at runtime.

This repository provides a working exploit for CVE-2020-1472 (Zerologon), a critical vulnerability in the Netlogon protocol used by Microsoft Active Directory Domain Controllers. The main exploit script, 'cve-2020-1472-exploit.py', attempts to authenticate to a target DC using all-zero credentials, exploiting a cryptographic flaw to reset the machine account password to an empty string. This enables further attacks, such as DCSync, to extract credentials from the domain. The exploit requires the NetBIOS name and IP address of the target DC and relies on the impacket library for protocol operations. The 'restorepassword.py' script allows the operator to restore the original machine account password if it is known (e.g., extracted from registry hives). The 'relaying/dcsyncattack.py' and 'relaying/dcsyncclient.py' files provide additional tooling for DCSync attacks, likely as part of a relay attack framework. The repository is operational and provides all necessary components to exploit and recover from the Zerologon vulnerability, targeting unpatched Windows Domain Controllers.

This repository contains a working exploit for CVE-2020-1472 (Zerologon), a critical vulnerability in the Netlogon protocol affecting Microsoft Windows Domain Controllers. The exploit is implemented in two main Python scripts: - `set_empty_pw.py`: Exploits the vulnerability to reset the target DC's machine account password to an empty string by abusing the Netlogon authentication process. This enables an attacker to impersonate the DC and extract sensitive information such as domain admin hashes using tools like `secretsdump.py`. - `reinstall_original_pw.py`: After exploitation, this script allows the attacker to restore the original machine account password, helping to avoid detection and restore normal DC operation. The README provides detailed instructions for setting up the environment (notably requiring a specific version of Impacket), running the exploit, dumping secrets, and restoring the original password. The exploit requires network access to the target DC's Netlogon service (typically over TCP port 445 or 135). The repository is operational in maturity, providing a full attack chain from exploitation to cleanup, but does not include a fully weaponized, customizable payload framework. No hardcoded IPs or domains are present; the scripts require the attacker to specify the target DC's NetBIOS name and IP address as arguments.

This repository provides a working exploit and restoration tool for CVE-2020-1472 (Zerologon), a critical vulnerability in the Netlogon Remote Protocol (MS-NRPC) affecting Microsoft Windows Domain Controllers. The main exploit script, 'cve-2020-1472-exploit.py', attempts to authenticate to the target DC using all-zero credentials, exploiting a cryptographic flaw to bypass authentication. If successful, it resets the DC's machine account password to an empty string, which can then be leveraged to extract domain secrets (NTDS.dit, NTLM hashes, Kerberos keys) using tools like 'secretsdump.py'. The repository also includes 'reinstall_original_pw.py', a script to restore the original machine account password, mitigating the operational impact of the exploit. The exploit requires the NetBIOS name and IP address of the target DC and network access to the Netlogon service. The code is written in Python and depends on the Impacket library. The repository is operational and provides both exploitation and restoration capabilities, making it suitable for both red team and blue team use cases.

This repository provides a working exploit for CVE-2020-1472 (Zerologon), a critical vulnerability in the Netlogon Remote Protocol (MS-NRPC) affecting Microsoft Active Directory Domain Controllers. The main exploit script, 'cve-2020-1472-exploit.py', attempts to authenticate to the target DC using all-zero credentials, exploiting a cryptographic flaw to reset the machine account password to an empty string. This enables further attacks such as DCSync to extract domain secrets. The 'restorepassword.py' script allows the user to restore the original machine account password if it is known (e.g., dumped from the registry). The repository also includes code related to DCSync relay attacks, but the primary focus is the Zerologon exploit and password restoration. The exploit is operational and requires Python 3.6+ and a recent impacket library. The attack vector is network-based, targeting the Netlogon service on a vulnerable DC, with user-supplied IP and NetBIOS name as the main endpoints.

This repository provides a mass exploitation tool for the Zerologon (CVE-2020-1472) vulnerability affecting Microsoft Windows Domain Controllers. The main script, MassZeroLogon.py, is adapted from the original PoC and is designed to automate attacks against multiple targets by reading a file containing IP addresses and hostnames. It attempts to exploit the Netlogon cryptographic flaw by sending all-zero authentication requests to the DC's Netlogon service over the network. If successful, it notifies the user and provides a command to dump credentials using impacket-secretsdump. The repository also includes convert-nmap-zerologon.py, a helper script to parse nmap scan results and generate the required input file for mass exploitation. The Readme.md provides usage instructions and sample input formats. The exploit is operational and can be used for both detection and exploitation, with a focus on automating attacks against large numbers of potential targets.