Performing authentication attempts...
Traceback (most recent call last):
File "./zerologon_tester.py", line 86, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "./zerologon_tester.py", line 62, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
File "./zerologon_tester.py", line 35, in try_zero_authenticate
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
File "/home/miatello.mauro/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/nrpc.py", line 2668, in hNetrServerReqChallenge
return dce.request(request)
File "/home/miatello.mauro/.local/lib/python3.8/site-packages/impacket/dcerpc/v5/rpcrt.py", line 877, in request
raise exception
impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc0000122 - STATUS_INVALID_COMPUTER_NAME - Indicates a name that was specified as a remote computer name is syntactically invalid.

From my Ubuntu 18 host, requirements installed. Using NetBios names and IP's of both DC's. Same error on both.

greg@njlh3:~/CVE-2020-1472$ python3 zerologon_tester.py NJDC03 192.168.5.22
Performing authentication attempts...
Traceback (most recent call last):
File "zerologon_tester.py", line 86, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "zerologon_tester.py", line 62, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
File "zerologon_tester.py", line 35, in try_zero_authenticate
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
File "/home/greg/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/nrpc.py", line 2668, in hNetrServerReqChallenge
return dce.request(request)
File "/home/greg/.local/lib/python3.6/site-packages/impacket/dcerpc/v5/rpcrt.py", line 877, in request
raise exception
impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc0000122 - STATUS_INVALID_COMPUTER_NAME - Indicates a name that was specified as a remote computer name is syntactically invalid.

Background:

Modified your script to run against a list of DC hostnames in secondary TXT file and bugs found on original script.

Running:

Executing the script on the list of DCs, worked OK on 10% of the list the rest failed the RPC connect function.
Executing the script on the list of DCs, worked OK on 10% of the list the rest failed the RPC connect function.
Of the 10%, got ~50/50 of vulnerable and not vulnerable, so the script is working but with very low percentage of accuracy.
There may be a problem on "impacket" module when trying to establish connection to destination host.

Checks:

Validated network connectivity OK, validated RPC(135) and SMB(445) connectivity OK.

Hi,

why does the tool install mimikatz on my system?

********************** Sophos Anti-Virus Alert ***********************
Threat "Troj/Mimikatz-Q" detected in file
"/tmp/pip-install-8xxnod7l/impacket/examples/mimikatz.py".

Access to the file has been denied

**********************************************************************

P

py zerologon_tester.py DESKTOP-6F1UFD6 192.168.0.105
Performing authentication attempts...
Traceback (most recent call last):
File "zerologon_tester.py", line 86, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "zerologon_tester.py", line 62, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
File "zerologon_tester.py", line 22, in try_zero_authenticate
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
File "C:\Users\Nikita\AppData\Local\Programs\Python\Python38-32\lib\site-packages\impacket\dcerpc\v5\epm.py", line 1306, in hept_map
resp = dce.request(request)
File "C:\Users\Nikita\AppData\Local\Programs\Python\Python38-32\lib\site-packages\impacket\dcerpc\v5\rpcrt.py", line 877, in request
raise exception
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x16c9a0d6 - ept_s_not_registered`

^[[A[!] CVE-2020-1472 PoC by BlackArrow (Tarlogic)

Performing authentication attempts...

Success! DC can be fully compromised by a Zerologon attack. (attempt=100)
Traceback (most recent call last):
File ".py", line 144, in
passwordSet2(rpc_con, nbios_name, computer)
File "CVE-2020-1472.py", line 125, in passwordSet2
resp = dce.request(request)
File "/home/local/{account}/.local/lib/python2.7/site-packages/impacket/dcerpc/v5/rpcrt.py", line 877, in request
raise exception
impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

When i run:
pip install -r requirements.txt
pip showing me error:

  Could not find a version that satisfies the requirement dnspython==2.0.0 (from -r requirements.txt (line 4)) (from versions: 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0)
No matching distribution found for dnspython==2.0.0 (from -r requirements.txt (line 4))

the script does not work at all. I am using Python 3.8 and I get this:

    print(msg, file=sys.stderr)
                   ^
SyntaxError: invalid syntax

then I added from __future__ import print_function in the beginning of the script and now it goes further but still an error:

    fail(f'Unexpected error code from DC: {ex.get_error_code()}.')
                                                                ^
SyntaxError: invalid syntax

Trying to test POC in the lab. If I set example-dc to domain.dom (the domain) I get STATUS_INVALID_COMPUTER_NAME.

If I used the full hostname I get Unexpected error code from DC: 3221225867.

Any thoughts on what that means?

Hi @Lionqueen94 and @djrevmoon , I checked the readme for this tool, How do I know the Domain Controller vulnerability? Are some evident indicators showing the server been exploited? BTW, Is there a quick fix python scripts if the testing script result comes true (which is showing vulnerable of this CVE)? Look forward to hearing from you.
Ping Yang (Peter)

I run zerologon_tester.py, it says success, DC can be fully....

but i want to exploit, not the test. I check the admin password is not changed to blank after I run zerologon_tester.py, pls give the exploit code

Hi!

First off, amazing find and thanks for making a non-destructive tester.
I've added your script + license (actually the entire repo) to a project of mine and attempted as much transparency as possible. License wise I'm running MIT also. Please let me know if this is against your whisked or fee free to close off this one.
Once again, thanks for keeping us all safer by finding this one.
Cheers!
/ Casper

I'm not sure it is because my working environment has some control on the DC access OR the script problem. I tried on both Windows and Kali env. Below are the error messages:

Kali (Python 3.8.5):
root@kali:~/GitHub/CVE-2020-1472# python3 zerologon_tester.py EXAMPLEHOST 192.168.0.1
Performing authentication attempts...
Traceback (most recent call last):
File "zerologon_tester.py", line 86, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "zerologon_tester.py", line 62, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
File "zerologon_tester.py", line 35, in try_zero_authenticate
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/nrpc.py", line 2668, in hNetrServerReqChallenge
return dce.request(request)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 856, in request
answer = self.recv()
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1307, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/transport.py", line 345, in recv
buffer += self.__socket.recv(count-len(buffer))
ConnectionResetError: [Errno 104] Connection reset by peer

Windows 10 (Python 3.8.5):
E:\GitHub\CVE-2020-1472>e:\Python\Python38\python zerologon_tester.py EXAMPLEHOST 192.168.0.1
Performing authentication attempts...
Traceback (most recent call last):
File "zerologon_tester.py", line 86, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "zerologon_tester.py", line 62, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
File "zerologon_tester.py", line 35, in try_zero_authenticate
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
File "e:\Python\Python38\lib\site-packages\impacket\dcerpc\v5\nrpc.py", line 2668, in hNetrServerReqChallenge
return dce.request(request)
File "e:\Python\Python38\lib\site-packages\impacket\dcerpc\v5\rpcrt.py", line 856, in request
answer = self.recv()
File "e:\Python\Python38\lib\site-packages\impacket\dcerpc\v5\rpcrt.py", line 1307, in recv
response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE)
File "e:\Python\Python38\lib\site-packages\impacket\dcerpc\v5\transport.py", line 345, in recv
buffer += self.__socket.recv(count-len(buffer))
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

the same using Python 3.7

I get a SyntaxError: invalid syntax.
It's at line 16
print(msg, file=sys.stderr)

Operating System: Windows 10
Python: Python.org 3.8.5

When trying to run script with arguments, it shows the same output as it would without any arguments.

I am not very familiar with python so I am unsure what may be the issue here.
The only thing I did non-default was install python for all users in Program Files and not in AppData.
Edit: I tried installing in AppData as well and had the same issue.

Script Output

C:\Users\username\Desktop>zerologon_tester.py
Usage: zerologon_tester.py

Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.
Note: dc-name should be the (NetBIOS) computer name of the domain controller.

C:\Users\username\Desktop>zerologon_tester.py computername 192.168.1.1
Usage: zerologon_tester.py

Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.
Note: dc-name should be the (NetBIOS) computer name of the domain controller.

Output of prereqs:

Requirement already satisfied: cffi==1.14.2
Requirement already satisfied: click==7.1.2
Requirement already satisfied: cryptography==3.1
Requirement already satisfied: dnspython==2.0.0
Requirement already satisfied: Flask==1.1.2
Requirement already satisfied: future==0.18.2
Requirement already satisfied: impacket==0.9.21
Requirement already satisfied: itsdangerous==1.1.0
Requirement already satisfied: Jinja2==2.11.2
Requirement already satisfied: ldap3==2.8
Requirement already satisfied: ldapdomaindump==0.9.3
Requirement already satisfied: MarkupSafe==1.1.1
Requirement already satisfied: pyasn1==0.4.8
Requirement already satisfied: pycparser==2.20
Requirement already satisfied: pycryptodomex==3.9.8
Requirement already satisfied: pyOpenSSL==19.1.0
Requirement already satisfied: six==1.15.0
Requirement already satisfied: Werkzeug==1.0.1

not really sure what caused this error below:

Performing authentication attempts...
Traceback (most recent call last):
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\lib\site-packages\impacket\dcerpc\v5\transport.py", line 315, in connect
self.__socket.connect(sa)
TimeoutError: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\zerologon_tester.py", line 101, in
perform_attack('\\' + dc_name, dc_ip, dc_name)
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\zerologon_tester.py", line 73, in perform_attack
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\zerologon_tester.py", line 27, in try_zero_authenticate
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\lib\site-packages\impacket\dcerpc\v5\epm.py", line 1237, in hept_map
dce.connect()
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\lib\site-packages\impacket\dcerpc\v5\rpcrt.py", line 800, in connect
return self._transport.connect()
File "C:\Users\changh6087\AppData\Local\Programs\Python\Python37\lib\site-packages\impacket\dcerpc\v5\transport.py", line 318, in connect
raise DCERPCException("Could not connect: %s" % msg)
impacket.dcerpc.v5.rpcrt.DCERPCException: Could not connect: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

I was just testing this script vs. our DC an it just quits after about 12-13 connection attempts.
But there is no output on whether the DC is vulnerable or patched, and no error message is shown on why the script might have stopped?
Output of one attempt:

C:\Users\wannabeciso\Desktop\CVE-2020-1472-master>python zerologon_tester.py OUR-DC-NAME 192.168.X.X
Performing authentication attempts...
============
C:\Users\wannabeciso\Desktop\CVE-2020-1472-master>

Tried it with Powershell as well, same outcome.

Edit: Seems only to be an issue when trying from my Win10 machine, works perfectly fine when trying from my Ubutun machine.

Hello

I'm trying to run the script on a DC that has a hyphen in the name e.g.

zerologon_tester.py dc-name 10.0.5.1

It fails with an error like this

C:\dctest>zerologon_tester.py dc-name 10.0.5.1 Performing authentication attempts... Traceback (most recent call last): File "C:\dctest\zerologon_tester.py", line 86, in <module> perform_attack('\\\\' + dc_name, dc_ip, dc_name) File "C:\dctest\zerologon_tester.py", line 62, in perform_attack rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer) File "C:\dctest\zerologon_tester.py", line 35, in try_zero_authenticate nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext) File "C:\Users\rob\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\dcerpc\v5\nrpc.py", line 2668, in hNetrServerReqChallenge return dce.request(request) File "C:\Users\rob\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\dcerpc\v5\rpcrt.py", line 856, in request answer = self.recv() File "C:\Users\rob\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\dcerpc\v5\rpcrt.py", line 1307, in recv response_data = self._transport.recv(forceRecv, count=MSRPCRespHeader._SIZE) File "C:\Users\rob\AppData\Local\Programs\Python\Python38\lib\site-packages\impacket\dcerpc\v5\transport.py", line 345, in recv buffer += self.__socket.recv(count-len(buffer)) ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

If I run it on another DC without a hyphen in the name it executes correctly.

Thanks!

The script fails with Read only Domain Controllers.

Performing authentication attempts... Unexpected error code from DC: 3221225867. This might have been caused by invalid arguments or network issues.

Hi Guys,
This is not an issue, more a question.
I used your script to test updated Domain Controller and it works well. I also test it on unpatched DC.

On both case I have triggered 2 logs Event 5805 for each script launched.
Is it what is expected ?

Can i use event Log 5805 + my DC name appears in the message ("the from Computer") of the log to conclude to a Zerologon attack ?

Moreover i found a small difference between a patched and not patched:

• In unpatched case the 2 event are the same.
• In patched case in one of the event i got the attack computer in the message of the event (and not the DC)

My test with a patched result is:
2000 requests from the script resulting on 2000 packets TCP/port 135 + 2000 packets TCP/65xxx on Firewall (the RPC calls)
On the DC event log I can find 2 5805 events:

• 2020-11-10T09:30:12.000Z MyDC1234.ADS.LOCAL AttkCp888 5805 The session setup from the computer AttkCp888
  failed to authenticate. The following error occurred: \r\nAccess is denied.
• 2020-11-10T09:30:12.000Z MyDC1234.ADS.LOCAL mydc1234 5805 The session setup from the computer mydc1234 failed to authenticate. The following error occurred: \r\nAccess is denied.

Now when I take a non patched DC:
Success! DC can be fully compromised by a Zerologon attack.

• 2020-11-10T09:42:23.000Z MyDC1234.ADS.LOCAL mydc1234 5805 The session setup from the computer mydc1234 failed to authenticate. The following error occurred: \r\nAccess is denied.
• 2020-11-10T09:42:23.000Z MyDC1234.ADS.LOCAL mydc1234 5805 The session setup from the computer mydc1234 failed to authenticate. The following error occurred: \r\nAccess is denied.

Hello!
After performing authentication attempts... the window will close immediately, and I can't read the result. Is it possible to place "Press any key" at the end, so I could read the result?

Hi,
when running this script against a enforced + patched system, I got a "Attack failed. Target is probably patched.", after 30 seconds and a bunches of "=" signs. but no event log at all (5829,5827,5828,5830,5831) were recorded.
Is that expected ?

The tester script gives false positives.