Zerologon PoC: Full Critical Unauthenticated Windows Domain Takeover

  • by
Windows Extensions


Zerologon Proof-Of-Concept Critical Exploit

Researchers from Secura have found a Netlogon vulnerability that had allowed windows endpoints to be taken over. This process had required a person-in-the-middle (PitM) position for it to work successfully.

On the second attempt, the researchers had found that by forging an authentication token specific to Netlogon’s functionality, he was able to leverage a function in the netlogon commands set a computer password of the Domain Controller to a known value.

Once that is complete, the attacker can now use this new password to completely take over the domain controller and steal the credentials of all the domain administrator


Github user dirkjanm has developed a CVE-2020-1472 proof of concept here.  This attack performs the Netlogon authentication bypass.

If you want to perform a safer test in your Windows environment, try the ZeroLogon Testing Script by SecuraBV here.

This script attempts to perform the Netlogon Authentication bypass, and afterwards will terminate when successfully performing the bypass. However, it will not perform any Netlogon operations to ensure Windows environment stability.