Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Hijacking a Domain Controller with Netlogon RPC aka Zerologon: CVE-2020-1472

On September 14th, researchers at security firm Secura published a white paper detailing a complete unauthenticated compromise of domain controllers by subverting the Netlogon cryptography. The vulnerability, dubbed “Zerologon” (CVE-2020-1472) is a privilege escalation bug with a CVSSv3 score of 10.0 and allows a remote attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) and take over Windows Servers running as Domain Controllers.

Vulnerability Details and Analysis

MS-NRPC is an RPC interface that is used exclusively by domain-joined devices. It includes an authentication method and a method of establishing a Netlogon secure channel. The vulnerability uses a weak cryptographic algorithm in Netlogon’s authentication process to allow full takeover of Active Directory domains. The flaw lies in Netlogon’s cryptographic implementation of AES-CFB8 encryption. An attacker can impersonate a DC account and replace it with all zeros. As per Secura’s white paper, for 1 in 256 keys, applying AES-CFB8 encryption to an all-zero plaintext will result in an all-zero ciphertext. By sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller.


Below are screenshots explaining the exploitation details listed in the white paper.

  1. Bypassing the authentication call

The client is authenticating itself by doing NetrServerAuthenticate3 call after the exchange of the challenges. This call has a parameter called ClientCredential, that was computed during the client challenge. Since the client challenge can be set to zeroes, it means that for 1 in 256 session keys, the correct ClientCredential will consist of 8 zeroes. With several tries, the correct key will be hit in an average of 256 tries, but in implementation it only takes a few seconds.

Image001Figure 1: Packet capture with several authentication attempts until response is not DENIED

  1. Disabling RPC signing and sealing

Even if the authentication call is bypassed, the real value of the session key would be unknown. Since Netlogon's transport encryption’s use of this key is optional, the client can disable the mechanism in the flag of the NetrServerAuthenticate3 call.

Image002Figure 2: Disable signing and sealing flag used in the POC code (Source:

Figure 3: NetrServerAuthenticate3 packet with the flag set

  1. Computing the Authenticator value

Every call must contain an authenticator value which is computed by applying ComputeNetlogonCredential (with the session key) to the value ClientStoredCredential + Timestamp. The ClientStoredCredential is incrementing value starting from zero since client credential consists of zeroes. While the timestamp contains current Posix time, the server does not place any restriction on this value, and it can be set to zero.

  1. Changing computer's AD Password

Using the NetrServerPasswordSet2 call, a new password for the client can be encrypted with the session key using the AES-CFB8. Netlogon plaintext password consists of 516 bytes, the last four indicate the password length. By providing 516 zeroes, this will be decrypted to 516 zeros or an empty password. Changing the password this way only updates it in the AD.

Image004Figure 4: NetrServerPasswordSet2 request packet with empty password (516 zeroes)

  1. Changing Domain Admin Password

Using the previous steps to change the password of the domain controller, the DC password was changed in the AD, but not in the local registry. This only works when DC validates a login attempt with the password stored in AD. It was found that using Impacket's secretdump, the newly set DC password can be used to compromise the system.

Let’s look at the proof of concept in action.

Proof of Concept

Secura released a Python script to test the presence of the vulnerability. Multiple other PoCs are available on Github, all based on the Secura proof of concept. See 1, 2, 3, 4.

Image005Figure 5: Exploitation of the Vulnerability using:

Image006Figure 6: Using john the ripper to crack the nthash

After using the PoC code, nthash of the DC changed to 31d6cfe0d16ae931b73c59d7e0c089c0 which is an empty password when decrypted.


This is a very high impact and a severe vulnerability allowing a local attacker to completely compromise the Windows domain. Exploitation by advanced threat actors is highly possible and this vulnerability offers ransomware groups to attack organizations with network-accessible hosts.

How to protect your systems?

Microsoft is addressing the vulnerability in a phased two-part rollout. The initial phase started with the August 11th, 2020 Patch Tuesday update. Customers who have applied August 2020 Patch Tuesday Security updates are protected against Zerologon attacks. The patch fixes the problem by enforcing the Secure Netlogon Remote Protocol for all Windows servers and clients in the domain. We urge organizations that have not applied the August 2020 Patch Tuesday updates, to patch CVE-2020-1472 immediately. Phase 2, planned for the first quarter of 20201, will be an enforcement phase. Microsoft has also provided guidance on deploying Domain Controller enforcement mode at

Detection Guidance

Trustwave’s Security Testing Services customers can detect this vulnerability via authenticated scans.


Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More