Zerologon (CVE-2020-1472) is one of the most critical Active Directory flaws ever discovered.
By exploiting a weakness in the Microsoft Netlogon Remote Protocol (MS-NRPC), an attacker with only network access to a Domain Controller (DC) can achieve unauthenticated domain-administrator privileges in minutes.
This post recreates a full compromise of the TryHackMe “Zerologon” room, showing how Pentest Copilot—an AI-powered penetration-testing agent—reduces a traditionally intricate cryptographic attack to an automated workflow.
The demonstration highlights both the offensive potential of automation and the defensive lessons every blue team must learn.
Start by deploying the TryHackMe Zerologon box and connecting your attacker machine to the VPN:
1sudo openvpn <your_thm_config>.ovpn 2 3
With VPN established, scan for the Domain Controller:
1nmap -sC -sV 10.10.0.0/24 2 3
Identify the Windows Server host exposing LDAP, Kerberos, SMB, and RPC.
For example, suppose the DC is dc01.zerolab.local with IP 10.10.x.x.
The flaw lies in Microsoft’s AES-CFB8 implementation for Netlogon secure channels.
By using an all-zero initialization vector, there is a 1-in-256 chance that an attacker’s spoofed authentication request will result in an all-zero ciphertext, granting a privileged session without valid credentials.
Historically, exploiting this required manual steps:
Establish a vulnerable Netlogon session.
Send repeated crafted authentication attempts until a zero-ciphertext response occurs.
Reset the DC’s machine-account password.
Use that new password to perform a DCSync attack and harvest all Active Directory credentials.
Pentest Copilot encapsulates this entire chain into a single automated pipeline.
With only the target IP provided, Pentest Copilot performs multi-layer reconnaissance:
Service and Port Mapping: Enumerates RPC, LDAP, SMB, and Kerberos endpoints to confirm the host’s Domain Controller role.
Netlogon Protocol Check: Verifies exposure of the vulnerable Netlogon interface and detects patch status.
Topology Awareness: Builds a picture of trust relationships and administrative boundaries.
Traditionally you would run rpcclient, enum4linux, or manual LDAP queries; here the agent correlates and validates results autonomously.
After confirming vulnerability, a single command triggers the Zerologon exploitation module.
Behind the scenes Pentest Copilot:
Launches the AES-CFB8 Attack – Rapidly sends Netlogon authentication packets, dynamically tuning request rates until an all-zero ciphertext is achieved.
Resets the Machine-Account Password – Overwrites the DC’s computer-account password with a random value stored securely in the agent’s vault.
Escalates Privileges and DCSyncs – Authenticates as the Domain Controller and replicates the NTDS database and SYSTEM/SECURITY registry hives.
This process is fully logged, fault-tolerant, and requires no manual scripting.
The DCSync operation produces:
NTLM hashes for every domain user and computer account.
Kerberos key material, including the KRBTGT key necessary for Golden Ticket generation.
Service-account credentials ideal for lateral movement.
All credentials are normalized into reusable formats for immediate testing or later analysis.
After domain-administrator hashes are captured, Pentest Copilot can (within an authorized engagement) deploy its own lightweight agent to the Domain Controller for persistence and deeper testing.
Credential Validation & Context Elevation – Uses the newly obtained NTLM hash to establish an authenticated admin session over SMB or WinRM.
Encrypted Agent Transfer – Uploads a compact XOR-encrypted binary or PowerShell loader to a system directory, preventing casual inspection.
In-Memory Execution – Registers a Windows service that decrypts and launches the agent entirely in memory, leaving minimal disk artifacts.
Secure Callback – The agent connects back over TLS to the RTCS backend, enabling live command execution, lateral movement modules, and telemetry.
Built-in safeguards include hash-based integrity checks, full operator logging, and single-command removal to match professional red-team standards.
This exercise reinforces several critical defenses:
Patch Immediately – Microsoft’s August 2020 update eliminates CVE-2020-1472.
Monitor Netlogon Traffic – Spikes in authentication failures or unusual secure-channel activity can indicate exploitation attempts.
Adopt Zero-Trust – Isolate Domain Controllers, enforce MFA for privileged accounts, and segment administrative networks to limit exposure.
Enterprises that fail to adopt these measures remain vulnerable not only to skilled attackers but also to automated exploitation at machine speed.
Running the TryHackMe Zerologon lab with Pentest Copilot demonstrates how a sophisticated cryptographic exploit has been transformed into an end-to-end automated operation.
The platform identifies the DC, executes the AES-CFB8 attack, resets the machine password, harvests credentials, and can even deploy a persistent agent—all with minimal human input.
For defenders, the lesson is urgent: complex vulnerabilities are no longer a barrier to entry.
Comprehensive patching, vigilant monitoring, and zero-trust architecture are non-negotiable.
Q1. Is this attack still viable on modern Windows domains?
Only if the DC is unpatched. Microsoft’s August 2020 and subsequent updates close the vulnerability. Unpatched environments, however, remain fully exploitable.
Q2. Does Pentest Copilot require prior credentials to execute Zerologon?
No. Zerologon itself is an unauthenticated flaw. Pentest Copilot needs only network access to the vulnerable DC to start the attack.
Q3. How does the post-exploitation agent remain stealthy?
The agent is delivered in encrypted form, decrypted in memory, and communicates over TLS. It mimics legitimate administrative behavior and supports quick removal when the engagement ends.
Q4. What are the key indicators for blue teams?
Look for repeated Netlogon authentication failures, sudden machine-account password resets, anomalous DCSync requests, and unexpected outbound TLS connections from a DC.
Q5. Can this workflow be adapted for other Active Directory attacks?
Yes. Pentest Copilot modules can chain Zerologon with techniques like Pass-the-Hash, Kerberoasting, and ADCS abuse, enabling a broader red-team campaign once domain admin is achieved.
References
MITRE ATT&CK Technique T1207 – Netlogon Exploitation