Associated Vulnerability
Title:Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)Description:An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Description
Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing.
Readme
# zeroscan
Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing.
<br>
**CVE-2020-1472:**
Uses a built-in script to check for Zerologon (CVE-2020-1472), but does NOT attempt to exploit the target, it is simply a vulnerability scanner.
Codebase borrowed from: https://github.com/SecuraBV/CVE-2020-1472
<br>
**MS-PAR / MS-RPRN:**
Uses a wrapper around Impacket's rpcdump to check if the print services MS-PAR and MS-RPRN are remotely accessible. This check may help to determine if the target is vulnerable to CVE-2021-1675.
<br>
**SMBv2 Signing:**
Uses a wrapper around the Nmap Scripting Engine (NSE) script 'smb2-security-mode', to identify the target's SMBv2 signing configuration.
<br>
<br>
**Installation:**
git clone https://github.com/NickSanzotta/zeroscan.git
cd zeroscan/
virtualenv -p /usr/bin/python3.9 venv
source venv/bin/activate
python3 -m pip install -r requirements.txt
**Menu:**
```
Zeroscan
--------------------------------------------------
Usage:
python3 zeroscan.py -t dc01 192.168.1.10
python3 zeroscan.py -iL /path/to/targetfile.txt
python3 zeroscan.py -iL /path/to/targetfile.txt --database
python3 zeroscan.py -iL /path/to/targetfile.txt --drop-table
python3 zeroscan.py -iL /path/to/targetfile.txt -r
python3 zeroscan.py -iL /path/to/targetfile.txt -v
Primary options:
-t TARGET TARGET Single target using netbiosname and ipaddress. I.e "dc01 192.168.1.10"
-iL TARGETSFILE File that contains one target per line using netbiosname and ipaddress. I.e "dc01 192.168.1.10"
Secondary options:
--database DATABASE Filepath for database file.
--drop-table Drops database table.
-r, --rpc-message Turn on RPC response messages for CVE-2020-1472, helpful when troubleshooting connectivity issues.
-v, --verbose Turn on verbosity, helpful when debugging code.
-h, --help Show this help message and exit.
```
**Sample Output:**
```
╔════════════════════════════════════════════════════════ ZEROSCAN ═════════════════════════════════════════════════════════╗
╚═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝
Impacket v0.9.23
./zeroscan.py -iL targets.txt
CVE-2020-1472
DC01 192.168.160.134 - AUTH-ATTEMPTS: 26
DC02 192.168.160.133 - AUTH-ATTEMPTS: 1
DC03 192.168.160.137 - AUTH-ATTEMPTS: 2000
Impacket v0.9.23
rpcdump.py @ipaddress
MS-PAR/MS-RPRN
DC01 192.168.160.134 - MS-PAR: False, MS-RPRN: False
DC02 192.168.160.133 - MS-PAR: False, MS-RPRN: False
DC03 192.168.160.137 - MS-PAR: True, MS-RPRN: True
Nmap 7.91
nmap -Pn --script smb2-security-mode -p 445 -iL ./outputfiles/targets.txt -oX ./outputfiles/xml/smb2-security-mode.xml
SMB2-SECURITY-MODE
192.168.160.134 - MESSAGE SIGNING ENABLED BUT NOT REQUIRED
192.168.160.137 - MESSAGE SIGNING ENABLED AND REQUIRED
Zeroscan Database
╔══════════╤═════════════════╤════════════════╤════════╤═════════╤══════════════════════════════════════════╗
║ Hostname │ IP Address │ CVE_2020_1472 │ MS_PAR │ MS_RPRN │ SMBv2_Signing ║
╟──────────┼─────────────────┼────────────────┼────────┼─────────┼──────────────────────────────────────────╢
║ DC01 │ 192.168.160.134 │ VULNERABLE │ False │ False │ Message signing enabled but not required ║
║ DC02 │ 192.168.160.133 │ NA │ False │ False │ NA ║
║ DC03 │ 192.168.160.137 │ NOT VULNERABLE │ True │ True │ Message signing enabled and required ║
╚══════════╧═════════════════╧════════════════╧════════╧═════════╧══════════════════════════════════════════╝
```
**Demo - Multi-target:**
File Snapshot
[4.0K] /data/pocs/bd6a963366faf1934007e188b7c1701a096c2144
├── [4.0K] demo
│ └── [438K] zeroscan-demo.gif
├── [1.0K] LICENSE
├── [5.1K] README.md
├── [ 30] requirements.txt
├── [4.0K] utils
│ ├── [2.6K] arguments.py
│ ├── [ 300] mkdir.py
│ ├── [1.9K] nmapper.py
│ ├── [ 974] richard.py
│ ├── [1.6K] rpcdumpper.py
│ ├── [2.2K] sqlite.py
│ ├── [ 519] theme.ini
│ ├── [4.1K] xmlparser.py
│ └── [2.2K] zerologon.py
└── [7.7K] zeroscan.py
2 directories, 14 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →