| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
目前网上公开的方法仅到重置密码为空(github/dirkjanm已出恢复密码restorepassword.py脚本,下面文章仅供参考!),但是后续没有恢复密码操作,对于域控制器来说,当计算机hash更改时会直接影响与其他域控制器的通信和该域控上的功能(例如:DNS服务等), 本文仅做个记录实现完整的利用。利用流程如下:
[出自:jiwo.org]
1.重置密码,获取域内所有的用户hash,利用exp:https://github.com/dirkjanm/CVE-2020-1472
2.Dump域控制上的hash
3.利用获取到的管理员hash远程连接导出sam数据库中原来的计算机hash
4.恢复ntds.dit中的计算机hash并验证:https://github.com/risksense/zerologon 需要注意的是最后的hash使用的是上图的标红的、”:”后面的部分-> f604.....1dc9这个,不是全部的,下图错了
5.最后验证密码已经更改回去
=======================最新github含恢复密码说明如下====================================
CVE-2020-1472 POC
Requires the latest impacket from GitHub with added netlogon structures.
Do note that by default this changes the password of the domain controller account. Yes this allows you to DCSync, but it also breaks communication with other domain controllers, so be careful with this!
More info and original research here
Exploit steps
- Read the blog/whitepaper above so you know what you're doing
- Run cve-2020-1472-exploit.py with IP and netbios name of DC
- DCSync with secretsdump, using -just-dc and -no-pass or empty hashes and the DCHOSTNAME$ account
Restore steps
If you make sure that this line in secretsdump passes (so make it if True: for example) secretsdump will also dump the plaintext (hex encoded) machine account password from the registry. You can do this by running it against the same DC and using a DA account.
Alternatively you can dump this same password by first extracting the registry hives and then running secretsdump offline (it will then always print the plaintext key because it can't calculate the Kerberos hashes, this saves you modifying the library).
With this password you can run restorepassword.py with the -hexpass parameter. This will first authenticate with the empty password to the same DC and then set the password back to the original one. Make sure you supply the netbios name and IP again as target, so for example:
python restorepassword.py testsegment/s2016dc@s2016dc -target-ip 192.168.222.113 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3...etc
