漏洞平台

POC详情： bd6a963366faf1934007e188b7c1701a096c2144

来源

https://github.com/NickSanzotta/zeroscan

关联漏洞

标题： Microsoft Windows Netlogon 安全特征问题漏洞 (CVE-2020-1472)
描述：Microsoft Windows Netlogon是美国微软（Microsoft）公司的Windows的一个重要组件，主要功能是用户和机器在域内网络上的认证，以及复制数据库以进行域控备份，同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。 Microsoft Windows Netlogon 存在安全漏洞。攻击者可以使用 Netlogon 远程协议 (MS-NRPC) 建立与域控制器的易受攻击的 Netlogon 安全通道连接并进行特权提升。

描述

Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing.

介绍

# zeroscan

Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-PAR/MS-RPRN and SMBv2 Signing.

<br>

**CVE-2020-1472:**

Uses a built-in script to check for Zerologon (CVE-2020-1472), but does NOT attempt to exploit the target, it is simply a vulnerability scanner. 
Codebase borrowed from: https://github.com/SecuraBV/CVE-2020-1472 

<br>

**MS-PAR / MS-RPRN:**

Uses a wrapper around Impacket's rpcdump to check if the print services MS-PAR and MS-RPRN are remotely accessible. This check may help to determine if the target is vulnerable to CVE-2021-1675.

<br>

**SMBv2 Signing:**

Uses a wrapper around the Nmap Scripting Engine (NSE) script 'smb2-security-mode', to identify the target's SMBv2 signing configuration.

<br>

![Supported Python versions](https://img.shields.io/badge/python-3.9-green.svg)

<br>

**Installation:**


    git clone https://github.com/NickSanzotta/zeroscan.git
    cd zeroscan/
    virtualenv -p /usr/bin/python3.9 venv
    source venv/bin/activate
    python3 -m pip install -r requirements.txt

**Menu:**
```
Zeroscan
--------------------------------------------------

Usage:
  python3 zeroscan.py -t dc01 192.168.1.10
  python3 zeroscan.py -iL /path/to/targetfile.txt
  python3 zeroscan.py -iL /path/to/targetfile.txt --database
  python3 zeroscan.py -iL /path/to/targetfile.txt --drop-table
  python3 zeroscan.py -iL /path/to/targetfile.txt -r
  python3 zeroscan.py -iL /path/to/targetfile.txt -v


Primary options:
  -t TARGET TARGET     Single target using netbiosname and ipaddress. I.e "dc01 192.168.1.10"
  -iL TARGETSFILE      File that contains one target per line using netbiosname and ipaddress. I.e "dc01 192.168.1.10"

Secondary options:
  --database DATABASE  Filepath for database file.
  --drop-table         Drops database table.
  -r, --rpc-message    Turn on RPC response messages for CVE-2020-1472, helpful when troubleshooting connectivity issues.
  -v, --verbose        Turn on verbosity, helpful when debugging code.
  -h, --help           Show this help message and exit.
```

**Sample Output:**
```
╔════════════════════════════════════════════════════════ ZEROSCAN ═════════════════════════════════════════════════════════╗
╚═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝
Impacket v0.9.23

./zeroscan.py -iL targets.txt
CVE-2020-1472
DC01 192.168.160.134  - AUTH-ATTEMPTS: 26
DC02 192.168.160.133  - AUTH-ATTEMPTS: 1
DC03 192.168.160.137  - AUTH-ATTEMPTS: 2000


Impacket v0.9.23

rpcdump.py @ipaddress
MS-PAR/MS-RPRN
DC01 192.168.160.134 - MS-PAR: False, MS-RPRN: False
DC02 192.168.160.133 - MS-PAR: False, MS-RPRN: False
DC03 192.168.160.137 - MS-PAR: True, MS-RPRN: True


Nmap 7.91

nmap -Pn --script smb2-security-mode -p 445 -iL ./outputfiles/targets.txt -oX ./outputfiles/xml/smb2-security-mode.xml
SMB2-SECURITY-MODE
192.168.160.134 - MESSAGE SIGNING ENABLED BUT NOT REQUIRED
192.168.160.137 - MESSAGE SIGNING ENABLED AND REQUIRED


                                              Zeroscan Database
╔══════════╤═════════════════╤════════════════╤════════╤═════════╤══════════════════════════════════════════╗
║ Hostname │ IP Address      │ CVE_2020_1472  │ MS_PAR │ MS_RPRN │ SMBv2_Signing                            ║
╟──────────┼─────────────────┼────────────────┼────────┼─────────┼──────────────────────────────────────────╢
║ DC01     │ 192.168.160.134 │ VULNERABLE     │ False  │ False   │ Message signing enabled but not required ║
║ DC02     │ 192.168.160.133 │ NA             │ False  │ False   │ NA                                       ║
║ DC03     │ 192.168.160.137 │ NOT VULNERABLE │ True   │ True    │ Message signing enabled and required     ║
╚══════════╧═════════════════╧════════════════╧════════╧═════════╧══════════════════════════════════════════╝
```

**Demo - Multi-target:**

![Zeroscan Demo](demo/zeroscan-demo.gif)

文件快照


 [4.0K]  /data/pocs/bd6a963366faf1934007e188b7c1701a096c2144
├── [4.0K]  demo
│   └── [438K]  zeroscan-demo.gif
├── [1.0K]  LICENSE
├── [5.1K]  README.md
├── [  30]  requirements.txt
├── [4.0K]  utils
│   ├── [2.6K]  arguments.py
│   ├── [ 300]  mkdir.py
│   ├── [1.9K]  nmapper.py
│   ├── [ 974]  richard.py
│   ├── [1.6K]  rpcdumpper.py
│   ├── [2.2K]  sqlite.py
│   ├── [ 519]  theme.ini
│   ├── [4.1K]  xmlparser.py
│   └── [2.2K]  zerologon.py
└── [7.7K]  zeroscan.py

2 directories, 14 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。