/Invoke-ZeroLogon

Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

Primary LanguagePowerShell

Invoke-ZeroLogon

This code was heavily adapted from the C# implementation by the NCC Group's Full Spectrum Attack Simulation team and the original CVE published by Secura. This script can be run in two modes:

  1. When the reset parameter is set to True, the script will attempt to reset the target computer’s password to the default NTLM hash (essentially an empty password).
  2. By default, reset is set to False and will simply scan if the target computer is vulnerable to the ZeroLogon exploit (CVE-2020-1472).

WARNING: Resetting the password of a Domain Controller is likely to break the network. DO NOT use the reset parameter against a production system unless you fully understand the risks and have explicit permission.