exploiting-zerologon-vulnerability-cve-2020-1472

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit credential material (NTLM hashes and placeholders for hex passwords) and shows commands that embed those secrets verbatim (e.g., -hashes :32ed87..., -hexpass <original_hex_password>), so an agent following it would need to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content provides explicit, actionable instructions to exploit CVE-2020-1472 to reset Domain Controller machine account passwords, perform DCSync to steal all domain credentials, and use lateral-movement tools (psexec/wmiexec) to obtain domain admin access—facilitating high-impact unauthorized system compromise and credential theft.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal credential material. The secretsdump output and subsequent psexec/wmiexec examples contain high-entropy NTLM hashes that are presented as concrete values:
• Administrator: ...:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
• krbtgt: ...:aad3b435b51404eeaad3b435b51404ee:f3bc61e97fb14d18c42bcbf6c3a9055f:::
• svc_sql: ...:aad3b435b51404eeaad3b435b51404ee:e4cba78b4c01d6e5c0e31ffff18e46ab:::
• And the explicit use of the Administrator NTLM hash in psexec/wmiexec: -hashes :32ed87bdb5fdc5e9cba88547376818d4

These are high-entropy, literal credential artifacts (NTLM password hashes) that would be usable for lateral movement (pass-the-hash) and therefore qualify as secrets under the provided definition.

Notes on ignored items:

• The repeated aad3b435b51404eeaad3b435b51404ee value is the known constant LM hash for an empty/disabled LM hash and is not a secret by itself.
• Placeholders like -hexpass <original_hex_password> are documentation placeholders and are ignored per the rules.

Given the presence of the NTLM hashes and their reuse in attack examples, I treat them as real, hardcoded credentials.